The Power of Proofs-of-Possession: Securing Multiparty ... · have the adversary use a public key that is a function of an honest user’s key, allowing him to produce forgeries easily

A preliminary version of this paper appears in Advances in Cryptology – EUROCRYPT 2007,Lecture Notes in Computer Science Vol. 4515, pp. 228–245, M. Naor ed., Springer-Verlag, 2007.This is the full version.

The Power of Proofs-of-Possession:

Securing Multiparty Signatures against Rogue-Key Attacks

Thomas Ristenpart∗ Scott Yilek†

Abstract

Multiparty signature protocols need protection against rogue-key attacks, made possiblewhenever an adversary can choose its public key(s) arbitrarily. For many schemes, provablesecurity has only been established under the knowledge of secret key (KOSK) assumption wherethe adversary is required to reveal the secret keys it utilizes. In practice, certifying authoritiesrarely require the strong proofs of knowledge of secret keys required to substantiate the KOSKassumption. Instead, proofs of possession (POPs) are required and can be as simple as justa signature over the certificate request message. We propose a general registered key model,within which we can model both the KOSK assumption and in-use POP protocols. We showthat simple POP protocols yield provable security of Boldyreva’s multisignature scheme [11],the LOSSW multisignature scheme [28], and a 2-user ring signature scheme due to Bender,Katz, and Morselli [10]. Our results are the first to provide formal evidence that POPs can stoprogue-key attacks.

Keywords: Proofs of possession, PKI, multisignatures, ring signatures, bilinear maps

∗Dept. of Computer Science & Engineering 0404, University of California San Diego, 9500 Gilman Drive, LaJolla, CA 92093-0404, USA. Email: [email protected]. URL: http://www-cse.ucsd.edu/users/tristenp.Supported in part by NSF grant CNS-0524765.

†Dept. of Computer Science & Engineering 0404, University of California San Diego, 9500 Gilman Drive, La Jolla,CA 92093-0404, USA. Email: [email protected]. URL: http://www-cse.ucsd.edu/users/syilek. Supported inpart by NSF grant CNS-0430595 and a Jacobs School Fellowship.

1

Contents

1 Introduction 3

2 Preliminaries 5

3 The Registered Key Model 6

4 Multisignatures using POPs 74.1 Multisignatures Based on BLS Signatures . . . . . . . . . . . . . . . . . . . . . . . . 84.2 Multisignatures Based on Waters Signatures . . . . . . . . . . . . . . . . . . . . . . . 124.3 Attacks against Standardized Key Registration Protocols . . . . . . . . . . . . . . . 154.4 Other POP Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5 Ring Signatures in the Registered Key Model 165.1 Ring Signature Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.2 Unforgeability Implications for κ-user Schemes . . . . . . . . . . . . . . . . . . . . . 185.3 KOSK Improves Unforgeability Guarantees . . . . . . . . . . . . . . . . . . . . . . . 255.4 Ring Signatures with POPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

A Ring Signature Anonymity Definitions 35

2

1 Introduction

We refer to any scheme that generates signatures bound to a group of parties as a multipartysignature scheme. We focus on schemes that are both adaptive and decentralized: the set ofpotential signers is dynamic and no group manager is directly involved in establishing eligibility ofparticipants. Examples include multisignatures, ring signatures, designated-verifier signatures, andaggregate signatures. These schemes require special care against rogue-key attacks, which can bemounted whenever adversaries are allowed to choose their public keys arbitrarily. Typical attackshave the adversary use a public key that is a function of an honest user’s key, allowing him toproduce forgeries easily. Rogue-key attacks have plagued the development of multiparty signatureschemes [26, 20, 22, 30, 32, 33, 25, 11, 28, 37, 31].

One method for preventing rogue-key attacks is to require, during public key registration with acertificate authority (CA), that a party proves knowledge of its secret key. This setting has typicallybeen formalized as the knowledge of secret key (KOSK) assumption [11]: schemes are analyzed in asetting where adversaries must reveal their secret keys directly. This abstraction has lead to simpleschemes and straightforward proofs of security. To name a few: Boldyreva’s multisignature scheme[11] (we call it BMS), the LOSSW multisignature scheme [28] (we call it WMS for brevity and itsbasis on Waters signatures [39]), the LOSSW sequential aggregate signature scheme [28], and manydesignated-verifier signature schemes [23, 38, 27, 24]. Since simple rogue-key attacks against theseschemes are known, it might appear that the security of these schemes actually depends on partiesperforming proofs of knowledge during registration.

Drawbacks of the KOSK assumption. Unfortunately, there are substantial drawbacks tousing the KOSK assumption. Bellare and Neven discuss this in detail [7]; we briefly recall some oftheir discussion. First and foremost, the KOSK assumption is not realized by existing public keyinfrastructures (PKI). Registration protocols specified by the most widely used standards (RSAPKCS#10 [35], RFC 4210 [1], RFC 4211 [36]) do not specify that CA’s should require proofs ofknowledge. Thus, to use schemes proven secure under the KOSK assumption, one would be facedwith the daunting task of upgrading existing (and already complex) PKI. This would likely requireimplementing clients and CA’s that support zero-knowledge (ZK) proofs of knowledge that haveextraction guarantees in fully concurrent settings [4]. Non-interactive ZK proofs of knowledge [17,16, 19] could also be utilized, but these are more computationally expensive.

The plain setting. In the context of multisignatures, Bellare and Neven [7] show that it ispossible to dispense with the KOSK assumption. They provide a multisignature scheme which issecure, even against rogue-key attacks, in the plain public-key setting, where registration with aCA ensures nothing about a party’s possession or knowledge of a secret key. In this paper we areinterested in something different, namely investigating the security of schemes (that are not securein the plain setting) under more realistic key registration protocols, discussed next.

Proofs of possession. Although existing PKIs do not require proofs of knowledge, standardsmandate the inclusion of a proof of possession (POP) during registration. A POP attests that aparty has access to the secret key associated with his/her public key, which is typically accomplishedusing the functionality of the key pair’s intended scheme. For signature schemes, the simplest POPhas a party sign its certificate request message and send both the message and signature to the CA.The CA checks that the signature verifies under the public key being registered. In general, suchproofs of possession (POPs) are clearly not sufficient for substantiating the KOSK assumption. Infact, POPs have not (previously) lead to any formal guarantees of security against rogue key attacks,even though intuitively they might appear to stop adversaries from picking arbitrary public keys.This logical gap has contributed to contention regarding the need for POPs in PKI standards [2].

3

Our contributions. We suggest analyzing the security of multiparty signature schemes in aregistered key model, which allows modeling a variety of key registration assumptions includingthose based on POPs. Using the new model, we analyze the security of the BMS and WMSmultisignature schemes under POP protocols. We show that, interestingly, requiring the in-useand standardized POP protocol described above still admits rogue-key attacks. This implies theintuition mentioned above is flawed. On the positive side, we show how a slight change to thestandardized POP protocol admits proofs of security for these schemes. We also investigate thesetting of ring signatures. We describe how the key registration model can be utilized to resultin improved unforgeability guarantees. In particular we show that the Bender, Katz, and Morselli2-user ring signature scheme based on Waters signatures [10] is secure against rogue-key attacksunder a simple POP protocol. We now look at each of these contributions in more detail.

The registered key model. A key registration protocol is a pair of interactive algorithms(RegP,RegV), the former executed by a registrant and the latter executed by a certifying authority(CA). We lift security definitions to the registered key model by giving adversaries an additional keyregistration oracle, which, when invoked, executes a new instance of RegV. The security game canthen restrict adversarial behavior based on whether successful registration has occurred. Securitydefinitions in the registered key model are thus parameterized by a registration protocol. Thisapproach allows us to straightforwardly model a variety of registration assumptions, including theKOSK assumption, the plain setting and POP-based protocols.

Multisignatures under POP. A multisignature scheme allows a set of parties to jointly generatea compact signature for some message. These schemes have numerous applications, e.g. contractsigning, distribution of a certificate authority, or co-signing. The BMS and WMS schemes aresimple multisignature schemes that are based directly on the short signature schemes of Boneh,Lynn, and Shacham (BLS) [14] and Waters [39]. (That is, a multisignature with group of size oneis simply a BLS or Waters signature.) These schemes give short multisignatures (just 160 bits forBMS). Moreover, multisignature generation is straightforward: each party produces its BLS orWaters signature on the message, and the multisignature is just the (component-wise) product ofthese signatures. Both schemes fall prey to straightforward rogue-key attacks, but have proofs ofsecurity under the KOSK assumption [11, 28].

We analyze these schemes when key registration requires POPs. We show that the standardizedPOP mechanism described above, when applied to these schemes, does not lead to secure multisig-natures. Both schemes fall to rogue-key attacks despite the use of the standardized POPs. Wepresent a straightforward and natural fix for this problem: simply use separate hash functions forPOPs and multisignatures. We prove the security of BMS and WMS multisignatures under suchPOP mechanisms, giving the first formal justification that these desirable schemes can be usedin practice. Both proofs reduce to the same computational assumptions used in previous KOSKproofs and the reductions are just as tight.

Ring signatures under POP. Ring signatures allow a signer to choose a group of public keysand sign a message so that it is verifiable that some party in the group signed it, but no adver-sary can determine which party it was. The canonical application of ring signatures is leakingsecrets [34]. Bender, Katz, and Morselli (BKM) have given a hierarchy of anonymity and unforge-ability definitions for ring signature schemes [10]. For κ-user schemes, where only rings of size κare allowed, we point out that the ability to mount rogue-key attacks (as opposed to the ability tocorrupt honest parties) is a crucial distinguisher of the strength of unforgeability definitions. Weintroduce new security definitions that facilitate a formal analysis of this fact. BKM also proposetwo 2-user ring signature schemes that do not rely on random oracles, and prove them to meet theweaker unforgeability guarantee. As pointed out by Shacham and Waters, these schemes do not

4

meet the stronger definition due to rogue-key attacks [37].We show that the KOSK assumption provably protects against rogue-key attacks for a natural

class of ring signature schemes (both the BKM 2-user schemes fall into this class). We go on toprove the security of the BKM 2-user scheme based on Waters signatures under a simple POP-basedregistration protocol.

Schemes in the plain setting. We briefly overview some schemes built for the plain setting.The Micali, Ohta, and Reyzin multisignature scheme [31] was the first to be proven secure in theplain setting, but it requires a dedicated key setup phase after which the set of potential signersis necessarily static. The multisignature scheme of Bellare and Neven [7] does not require a keysetup phase, and is proven secure in the plain setting. While computationally efficient, it requiresseveral rounds of communication between all co-signers, which is more than the “non-interactive”BMS and WMS schemes.

Bender, Katz, and Morselli introduced the first ad-hoc ring signature scheme that provablyresists rogue-key attacks [10]. Their scheme is not efficient, requiring semantically-secure encryptionfor each bit of a message. The ring signature scheme of Shacham and Waters [37] is more efficientbut still not as efficient as the BKM schemes for rings of size two. Particularly, their ring signaturesare at least three times as long as those given by the BKM scheme based on Waters signaturesand they require more computational overhead. Of course, their solution works on rings with sizegreater than two.

Finally, aggregate signature schemes due to Boneh et al. [13] and Lysyanskaya et al. [29] aresecure in the plain setting.

Related work and open problems. Boldyreva et al. [12] investigate certified encryption andsignature schemes. They utilize a POP-based protocol to show the security of traditional certifiedsignatures. They do not consider multiparty signatures. Many schemes beyond those treatedhere rely on the KOSK assumption and finding POP-based protocols for such schemes, if possible,constitutes an important set of open problems. A few examples are the LOSSW sequential aggregatesignature scheme [28], the StKD encryption scheme due to Bellare, Kohno, and Shoup [5], andvarious designated-verifier signature schemes [23, 38, 27, 24].

2 Preliminaries

Basic notation. For a set S, we write Pκ(S) to mean the set of all subsets of size κ that existin S. A multiset S is a set that allows multiple copies of elements. The size of a multiset is denoted|S|. We write Multiset union S1 ∪ S2 combines two multisets, including any duplicates. Thus,|S1 ∪S2| = |S1|+ |S2|. We write S ∪← s to add (another copy of) s to S, i.e. S ← S ∪{s}. Multisetsubtraction S − {s} denotes removing one instance of s from S. Multiset difference S1\S2 resultsin the multiset formed by repeatedly executing S1 −{s} for each s ∈ S2 (note this is done once foreach element, including duplicates). Multiset equality, containment, inequality, and intersectionare defined in the natural ways. We abuse notation by using multiset notation also as booleanoperators: “If S1 ⊆ S2 then” evaluates the statement following ‘then’ if S1 is a subset of S2 anddoes not otherwise. Other boolean multiset-operators are defined in the natural way.

We define s $← S as sampling uniformly from S and s$← A(x1, x2, . . .) assigns to s the result

of running A on fresh random coins and the inputs x1, x2, . . .. We denote concatenation of stringsM and M ′ by M ||M ′. For any string M , let M [i] denote the ith bit of M . We often write (xi)

η1

to denote a vector of η values: (x1, . . . , xη). For a table Hs, let Hs[s] denote the element associatedwith s. We write Time(A) = max{t1, t2, . . .} where A = (A1, A2, . . .) is a tuple of algorithms and

5

t1, t2, . . . are their respective worst case running times.

Bilinear maps and co-CDH. The schemes we consider use bilinear maps. Let G1, G2, and GT

be groups, each of prime order p. Then G∗1, G∗

2, and G∗T represent the set of all generators of the

groups (respectively). Let e: G1×G2 → GT be an efficiently computable bilinear map (also called apairing). For the multisignature schemes we consider, we use the asymmetric setting [14, 13] whereG1 6= G2 and there exists an efficiently computable isomorphism ψ: G2 → G1. The asymmetryallows for short signatures, while ψ is needed in the proofs. For the ring signature schemes weconsider, we instead use the symmetric setting [10, 37] where G1 = G2. Let n represent the numberof bits needed to encode an element of G1; for the asymmetric setting n is typically 160. Finallylet g be a generator in G2. For the rest of the paper we treat G1,G2,GT , p, g, e as fixed, globallyknown parameters. Then we define the advantage of an algorithm A in solving the Computationalco-Diffie-Hellman (co-CDH) problem in the groups (G1,G2) as

Advco-cdh(G1,G2)(A) = Pr

[A(g, gx, h) = hx : x $← Zp;h

$← G1

]where the probability is over the random choices of x and h and the coins used by A. Here Zp isthe set of integers modulo p. Note that in the symmetric setting this is just the CDH problem.

For a group element g, we write 〈g〉 to mean some canonical encoding of g as a bit string ofthe appropriate length. We write 〈g〉n to mean the first n bits of 〈g〉. We use the shorthand ~u(resp. ~w) to mean a list of group elements u1, . . . , un (resp. w1, . . . , wn). Let tE , tψ, and te bethe maximum times to compute an exponentiation in G1, compute ψ on an element in G2, andcompute the pairing.

Signature schemes. A signature scheme S = (Pg,Kg,Sign,Ver) consists of an parameter gen-eration algorithm, a key generation algorithm, a signing algorithm that outputs a signature givena secret key and a message, and a verification algorithm that outputs a bit given a public key,message, and signature. If Pg is omitted, this means there are no public parameters requiringtrusted setup; in this case the implicit Pg algorithm just outputs an empty string. We requirethat Ver(pk,M,Sign(sk,M)) = 1 for all allowed M and valid pk, sk. Following [18], we define theadvantage of an adversary A in forging against S in a chosen message attack as

AdvufS (A) = Pr

[Ver(pk,M, σ) = 1 :

(pk, sk) $← Kg;(M,σ) $← ASign(sk,·)(pk)

]

where the probability is over the coins used by Kg, Sign, and A. We only consider adversaries thatoutput forgeries on a message M which was not queried to the oracle.

3 The Registered Key Model

Key registration protocols. Let P and S be sets and K ⊆ P × S be a relation on the sets(representing public keys, secret keys, and valid key pairs, respectively). A key registration protocolis a pair of interactive algorithms (RegP,RegV). A party registering a key runs RegP with inputspk ∈ P and sk ∈ S. A certifying authority (CA) runs RegV. We restrict our attention (withoutloss of generality) to protocols in which the last message is from RegV to RegP and contains eithera pk ∈ P or a distinguished symbol ⊥. We require that running RegP(pk, sk) with RegV results inRegV’s final message being pk whenever (pk, sk) ∈ K.

We give several examples of key registration protocols. The plain registration protocol Plain =(PlainP,PlainV) has the registrant running PlainP(pk, sk) send pk to the CA. The CA running

6

PlainV, upon receiving a public key pk, simply replies with pk. This protocol will be used tocapture the plain model, where no checks on public keys are performed by a CA. To model theKOSK assumption, we specify the registration protocol Kosk = (KoskP,KoskV). Here KoskP(pk, sk)sends (pk, sk) to the CA. Upon receiving (pk, sk), the KoskV algorithm checks that (pk, sk) ∈ K.(We assume that such a check is efficiently computable; this is the case for key pairs we consider.)If so, it replies with pk and otherwise with ⊥.

We refer to registration protocols that utilize the key’s intended functionality as proof-of-possession based. For example, let S = (Kg,Sign,Ver) be a signature scheme. Define the registrationprotocol S-Pop = (PopP,PopV) as follows. Running PopP on inputs pk, sk results in sending themessage pk || Sign(sk, 〈pk〉) to the CA. Upon receiving message pk || σ, a CA running PopV replieswith pk if Ver(pk, 〈pk〉, σ) = 1 and otherwise replies with ⊥. This corresponds to the simplest POPsfor signature schemes specified in PKCS#10 and RFCs 4210/4211.

The registered key model. We consider security definitions that are captured by a gamebetween an adversary and an environment. To lift such security definitions to the registered keymodel, we use the following general approach. Adversaries are given an additional key registra-tion oracle OKReg that, once invoked, runs a new instance of RegV for some key registrationprotocol (RegP,RegV). If the last message from RegV is a public key pk, then pk is added to atable R. This table can now be used to modify winning conditions or restrict which public keysare utilized by the adversary in interactions with the environment. Security of schemes under thenew definition is therefore always with respect to some registration protocol.

The key registration protocols mentioned so far are two round protocols: the registrant sendsa first message to the CA, which replies with a second message being either pk or ⊥. For any tworound protocol Reg = (RegP,RegV), the OKReg oracle can be simplified as follows. An adversaryqueries with a first message, at which point RegP is immediately run and supplied with the message.The oracle halts RegP before it sends its reply message. The message is added to R if it is not ⊥.The oracle finally returns pk or ⊥ appropriately.

4 Multisignatures using POPs

The goal of a multisignature scheme is for a group of parties, each with its own public and secretkeys, to jointly create a compact signature on some message. Following the formulation in [7], amultisignature scheme is a tuple of algorithms MS = (MPg,MKg,MSign,MVf). A trusted centralauthority runs the parameter generation algorithm MPg to create a parameter string par that ispublished globally. The key generation algorithm MKg, independently run by each party, outputsa key pair (pk, sk). The MSign interactive protocol is run by some group of players. Each partylocally runs MSign on input being a secret key sk, a multiset of public keys V, and a message M . Itmay consist of multiple rounds, though the protocols we consider here only require a single round:a request broadcast to all parties and the response(s). Finally, the verification algorithm MVf takesas input a tuple (V,M, σ), where V is a multiset of public keys, M is a message, and σ is a signature,and returns a bit. We require that MVf(V,M,MSign(sk,V,M)) = 1 for any M and where everyparticipant correctly follows the algorithms. For schemes that do not require any trusted setup,we write the scheme as just a triple of algorithms (MKg,MSign,MVf) where the now implicit MPgalgorithm returns an empty string.

Multisignature security. Let MS = (MPg,MKg,MSign,MVf) be a multisignature scheme,Reg = (RegP,RegV) be a key registration protocol, and A be an adversary. Figure 1 displaysthe security game Expmsuf-kr

MS,Reg(A). The experiment simulates one honest player with public keypk∗. The goal of the adversary is to produce a multisignature forgery : a tuple (V,M, σ) that

7

Experiment Expmsuf-krMS,Reg(A)

par$← MPg; (pk∗, sk∗) $← MKg(par); Q ← ∅; R← ∅

Run A(par, pk∗) handling oracle queries as follows

OMSign(V,M), where pk∗ ∈ V: Q ∪←M ; Simulate a new instance of MSign(sk∗,V,M),forwarding messages to and from A appropriately.

OKReg: Simulate a new instance of algorithm RegV, forwarding messages to andfrom A. If the instance’s final message is pk 6= ⊥, then R ∪← pk.

A halts with output (V,M, σ)If ( pk∗ ∈ V ) ∧ (M /∈ Q ) ∧ ( MVf(V,M, σ) = 1 ) ∧ ( (V − {pk∗}) \ R = ∅ ) then

Return 1Return 0

Figure 1: Multisignature security experiment in the registered key model.

satisfies the following four conditions. First, the honest public key pk∗ is in the multiset V atleast once. Second, the message M was not queried to the multisignature oracle. Third, thesignature verifies. Fourth, each public key in V − {pk∗} must be in R, where V − {pk∗} means themultiset V with one occurrence of the honest key removed. We define the msuf-kr-advantage ofan adversary A against a multisignature scheme MS with respect to registration protocol Reg asAdvmsuf-kr

MS,Reg(A) = Pr[Expmsuf-kr

MS,Reg(A)⇒ 1]. The probability is taken over the random coins used in

the course of running the experiment, including those used by A. The definitions can be lifted tothe random oracle model [8] in the natural way. It is easy to show that our definition is equivalentto the definition in [7] when Reg = Plain and equivalent to the definition in [11] when Reg = Kosk.

An adversary A is legitimate if: (1) it only queries OMSign on a set of public keys V suchthat pk∗ ∈ V; and (2) outputs a forgery attempt (V,M, σ) for which pk∗ ∈ V and M /∈ Q and(V −{pk∗})\R = ∅ (all adversarially-chosen keys have been previously registered). Without loss ofgenerality, we will from now on only consider legitimate adversaries.

We now prove the security of the BMS and WMS multisignature schemes relative to POP-basedprotocols that differ from current standards only by use of a distinct hash function. In Section 4.3we discuss attacks against the schemes when standardized registration protocols are utilized.

4.1 Multisignatures Based on BLS Signatures

BLS signatures and multisignatures. Let Hs: {0, 1}∗ → G1 be a random oracle and letG1,G2,GT , p, g, e be pairing parameters. Boneh, Lynn, and Shacham [14] specify a signaturescheme BLS = (B-Kg,B-Sign,B-Vf). The algorithms work as follows:

B-Kg:sk

$← Zp; pk ← gsk

Return (pk, sk)

B-SignHs(sk,M):Return Hs(M)sk

B-VfHs(pk,M, σ):If e(Hs(M), pk) = e(σ, g) then

Return 1Return 0

The BMS = (B-MKg,B-MSign,B-MVf) multisignature scheme [11] is a simple extension of BLSsignatures. Key generation is equivalent to B-Kg. Multisignature generation for participants labeled1, . . . , v, public keys V = {pk1, . . . , pkv}, and a message M proceeds as follows. Each participant icomputes σi

$← B-Sign(ski,M) and broadcasts σi to all other participants. The multisignature isσ ←

∏vi=1 σi. On input V,M, σ for V = {pk1, . . . , pkv} the verification algorithm B-MVf computes

8

PK =∏vi=1 pki and then runs B-VfHs(PK,M, σ), returning its output. Boldyreva proved the

scheme secure under the KOSK assumption [11].

The B-Pop protocol. We now specify a POP-based key registration protocol under which wecan prove BMS secure. Let Hp: {0, 1}∗ → G1 be a random oracle. Then we define the B-Pop =(B-PopP,B-PopV) protocol as follows. Algorithm B-PopP(pk, sk) sends pk || B-SignHp(sk, 〈pk〉)and algorithm B-PopV, upon receiving (pk, π) computes B-VfHp(pk, 〈pk〉, π) and if the result is 1replies with pk and otherwise with ⊥. We point out that one can use the same random oracle(and underlying instantiating hash function) for both Hs and Hp as long as domain separation isenforced. The following theorem captures the security of BMS with respect to this key registrationprotocol.

Theorem 4.1 Let Hs,Hp: {0, 1}∗ → G1 be random oracles. Let A be an msuf-kr-adversary, withrespect to the B-Pop propocol, that runs in time t, makes qh, qpop, qs, and qk queries to Hs, Hp,the signing oracle, and the key registration oracle, and outputs a multisignature forgery on a groupof size at most v. Then there exists an adversary B such that

Advmsuf-krBMS,B-Pop(A) ≤ e(qs + 1) ·Advco-cdh

(G1,G2)(B)

where B runs in time at most t+O((qh + qpop + v)tE + te).

Proof: We construct a co-CDH adversary B, which on input X ∈ G2 and h ∈ G1 utilizes alegitimate msuf-kr adversary A (with respect to the B-Pop protocol) to help it compute hx wherex = loggX. We adapt a game-playing [9] approach due to Bellare for proving the security of BLSsignatures [3]. Recall that since BMS is a single-round protocol the signing oracle simply returnsa BLS signature over the message. We make several simplifying assumptions about A that arewithout loss of generality. First, A always queries Hs(M) before querying OMSign(M) for anymessage M . Second, A always queries Hp(〈pk〉) before querying OKReg(pk, π) for any π. Third,A only queries OKReg on pairs (pk, π) for which B-VfHp(pk, 〈pk〉, π) = 1.

Figure 2 details the adversary B. It first applies the isomorphism ψ to g and X and setsa counter c to zero. It runs A on input X, which is then the trusted public key of the BMSinstance A is to attack. Adversary B uses four tables, Hs, Hp, B, and P. All four are initiallyeverywhere undefined. Queries to Hs are sometimes responded to with values that include hand sometimes not, depending on a δ-biased coin (we notate flipping such a coin by δc

δ←{0, 1}).Intuitively, the δc values correspond to guessing which Hs query will correspond to the forgerymessage. Adversary B responds to Hp queries with values that always include h. This is so thatthe adversarially-supplied POPs can be used to help extract the co-CDH solution from a forgery.Queries to OKReg simply record the supplied POP in P. Eventually A halts outputing a forgeryattempt (V,M, σ). Adversary B checks if the forgery verifies and if so attempts to extract fromit the value hx. Here (X, pk1, . . . , pkd) ← V means parse V into the sequence of public keysX, pk1, . . . , pkd which enumerates all those in V. (Since A is legitimate X must be in V.) Notethat extraction of hx is only possible if the forgery message had its Hs response programmed toinclude h.

We now proceed through a sequence of games to lower bound the probability that B succeedsin computing hx. The first game is G0, shown in Figure 2 with boxed statements omitted. It isexactly like B except that it generates the co-CDH instance itself (first line of Initialize). Theoutputs G0(A) and B are thus distributed identically. More-over, if their output is not ⊥ then itis hx. To see this, let us fix some notation related to the variables in the Finalize procedure of G0.Define ski = logg pki and πi = P[pki] for each i ∈ [1 .. d]. Then ψ(pki) = gski

1 holds for each i. Define

9

Adversary B(X,h)g1 ← ψ(g); X1 ← ψ(X); c← 0Run A(X), answering queries by

query Hs(M)c← c+ 1; Mc ←M

αc$← Zp; δc δ←{0, 1}

If δc = 1 then Hs[M ]← gαc1

Else Hs[M ]← hgαc1

Ret Hs[M ]

query Hp(N)B[N ] $← Zp; Ret Hp[N ]← hg

B[N ]1

query OMSign(M)Let k be s.t. M = Mk; Sk ← ⊥If δk = 1 then Sk ← Xαk

1

Else bad← trueRet Sk

query OKReg(pk, π)P[pk]← π; Ret pk

A finishes, outputing (V,M, σ)If B-MVf(V,M, σ) = 0 then Ret ⊥(X, pk1, . . . , pkd)← VLet k be s.t. M = Mk; α← αkFor each i ∈ [1 .. d] do γi ← α− B[〈pki〉]w ← ⊥If δk = 0 thenw ← σX−α

1

∏di=1 (P[pki]−1 ψ(pki)−γi)

Else bad← trueRet w

procedure Initialize G0 G1

x$← Zp; X ← gx; h $← G1

g1 ← ψ(g); X1 ← ψ(X); c← 0Ret X

procedure Hs(M)c← c+ 1; Mc ←M

αc$← Zp; δc δ←{0, 1}



Ret Hs[M ]

procedure Hp(N)

B[N ] $← Zp; Ret Hp[N ]← hgB[N ]1

procedure OMSign(M)Let k be s.t. M = Mk; Sk ← ⊥If δk = 1 then Sk ← Xαk

1

Else bad← true ; Sk ← Hs[M ]x

Ret Sk

procedure OKReg(pk, π)P[pk]← π; Ret pk

procedure Finalize(V,M, σ)If B-MVf(V,M, σ) = 0 then Ret ⊥(X, pk1, . . . , pkd)← VLet k be s.t. M = Mk; α← αkFor each i ∈ [1 .. d] do γi ← α− B[〈pki〉]w ← ⊥If δk = 0 thenw ← σX−α

1

∏di=1 (P[pki]−1 ψ(pki)−γi)

Else bad← true ; w ← hx

Ret w

Figure 2: Adversary B and games G0 and G1 used in the proof of Theorem 4.1. Game G0 omitsthe boxed statements while G1 includes them.

βi = α− γi = B[pki]. Because A is legitimate we necessarily have that e(Hs[M ], PK) = e(σ, g) andthat e(Hp[〈pki〉], pki) = e(πi, g) for each i ∈ [1 .. d]. Applying the properties of pairings to theseequivalences gives that σ = (hgα1 )x+sk1+...+skd and πi = (hgβi

1 )ski for each i ∈ [1 .. d]. Then

w = σX−α1

d∏i=1

π−1i ψ(pki)−γi =

(hgα1 )x+sk1+...+skd

Xα1 ·

∏(hgβi

1 )ski(gski1 )α−βi

= hx . (1)

Therefore we have that

Advco-cdh(G1,G2)(B) = Pr [G0(A) ; ⊥] (2)

The next game is G1, shown in Figure 2 with the boxed statements included. Games G0 and G1

10

procedure Initialize G2

x$← Zp; X ← gx; h $← G1; c← 0

Ret X

procedure Hs(M)c← c+ 1; Mc ←M

αc$← Zp; δc δ←{0, 1}



Ret Hs[M ]

procedure Hp(N)

B[N ] $← Zp; Ret Hp[N ]← hgB[N ]1

procedure OMSign(M)Let k be s.t. M = Mk

If δk 6= 1 then bad← trueRet Hs[M ]x


procedure Finalize(V,M, σ)If B-MVf(V,M, σ) = 0 then Ret ⊥Let k be s.t. M = Mk

If δk 6= 0 then bad← trueRet hx


x$← Zp; X ← gx; h $← G1; c← 0

Ret X

procedure Hs(M)

c← c+ 1; Mc ←M ; δcδ←{0, 1}

Ret Hs[M ] $← G1

procedure Hp(N)

Ret Hp[N ] $← G1

procedure OMSign(M)Let k be s.t. M = Mk

If δk 6= 1 then bad← trueRet Hs[M ]x


procedure Finalize(V,M, σ)If B-MVf(V,M, σ) = 0 then Ret ⊥Let k be s.t. M = Mk

If δk 6= 0 then bad← trueRet hx


x$← Zp; X ← gx; h $← G1; c← 0

Ret X

procedure Hs(M)

Ret Hs[M ] $← G1

procedure Hp(N)

Ret Hp[N ] $← G1

procedure OMSign(M)c← c+ 1; Ret Hs[M ]x


procedure Finalize(V,M, σ)If B-MVf(V,M, σ) = 0 then Ret ⊥For each j ∈ [1 .. c] doδj

δ←{0, 1}; If δj = 0 then bad← true

δj+1δ←{0, 1}; If δj+1 = 1 then bad← true

Ret hx

Figure 3: Games G2 and G3 used in the proof of Theorem 4.1.

11

are identical-until-bad. Let Goodi be the event that Gi(A) does not set bad. Then by a variant [6]of the fundamental lemma of game-playing [9] we have that

Pr [G0(A) ; ⊥] ≥ Pr [G0(A) ; ⊥ ∧ Good0] = Pr [G1(A) ; ⊥ ∧ Good1] . (3)

In game G1 note that signing queries always return Hs[M ]x. This is true because

Xαk1 = ψ(gx)αk = (gx1 )αk = (gαk

1 )x = Hs[M ]x . (4)

Additionally Finalize, as per (1), always returns hx if A’s forgery verifies. Game G2 rewritesOMSign and Finalize to make these facts explicit, and also omits computing g1 and X1 whichare no longer needed. We have that

Pr [G1(A) ; ⊥ ∧ Good1] = Pr [G2(A) ; ⊥ ∧ Good2] . (5)

In game G2 all uses of hash range points are via Hs[M ] and Hp[M ] (i.e., we no longer utilizethe special structure of the range points). Game G3 therefore dispenses with the special way inwhich Hs and Hp choose range points, now choosing them directly at random from G1. In both G2and G3 the range points have the same (uniform) distribution, meaning that the code is equivalentand thus


In G3 the setting of bad does not impact any other random variables in the game, and so in game G4we defer its setting until Finalize. Furthermore, not all of the δ values can actually set bad: onlythose that end up being referenced during signing queries and the one extra for the forgery. ThusG4 moves incrementing the counter c to signing queries, and in Finalize only performs δ-biasedcoin tosses c+ 1 times: one for each signature query and one for the forgery. This justifies that


In game G4, the event G4(A) ; ⊥ and the event Good4 are independent. This is because theevents do not rely on any shared random variables. The variable c is in fact not a random variable,because it will always equal qs, the number of signing queries A uses. This justifies that

Pr [G4(A) ; ⊥ ∧ Good4] = Pr [G4(A) ; ⊥] ·Pr [Good4] . (8)

where Pr [Good4] ≥ (e(qs + 1))−1 (this is standard, see e.g. [6, 15]). Finally, G4 exactly simulatesfor A the ruf3-kr experiment, meaning

Pr [G4(A) ; ⊥] = Pr[Expruf3-kr

BMS,B-Pop(A)⇒ 1]

= Advruf3-krBMS,B-Pop(A) (9)

Combining (2), (3), (5), (6), (7), (8), (9), and the lower bound on Pr [Good4] yields

Advco-cdh(G1,G2)(B) ≥ 1

e(qs + 1)Advruf3-kr

BMS,B-Pop(A)

which implies the theorem statement.Adversary B runs A. Additionally B must perform an exponentiation for each Hs and Hp query

and one for each key in the forgery set V. Finally B must perform a pairing to verify the forgery.Thus B runs in time at most t+O((qh + qpop + v)tE + te) where |V| = v.

4.2 Multisignatures Based on Waters Signatures

Waters signatures and multisignatures. Let G1,G2,GT , p, g, e be pairing parameters. Wedefine the signature scheme W = (W-Pg,W-Kg,W-Sign,W-Vf), as given in [28] and which is aslight variant of the original Waters signature scheme in [39]. The parameter generation algorithmW-Pg selects values h, u, u1, . . . , un

$← Gn+21 and publishes them globally. The other algorithms are

defined below.

12

W-Kg

α$← Zp

pk ← gα; sk ← hα

Return (pk, sk)

W-SignHu,~u(sk,M)

r$← Zp; ρ← gr

σ ← sk ·Hu,~u(M)r

Return (σ, ρ)

W-VfHu,~u(pk,M, (σ, ρ))

If e(h, pk) · e(Hu,~u(M), ρ) = e(σ, g) thenReturn 1

Return 0

The function Hu,~u: {0, 1}n → G1 is defined by Hu,~u(M) = u ·∏ni=1 u

M [i]i for any u, ~u ∈ Gn+1

1 .For simplicity the message space as defined is restricted to {0, 1}n, but in practice one can use acollision-resistant hash function to expand the domain.

The WMS = (W-Pg,W-MKg,W-MSign,W-MVf) multisignature scheme [28] is a straightforwardextension of the Waters’ signature scheme. Parameter generation and key generation are the sameas in W. To generate a multisignature for multiset V = {pk1, . . . , pkv}, each participant i computes(σi, ρi)

$← W-SignHu,~u(ski,M) and broadcasts (σi, ρi). The multisignature is (∏vi=1 σi,

∏vi=1 ρi).

To verify a multisignature (σ, ρ) for a message M and public keys V = {pk1, . . . , pkv}, simply letPK ←

∏vi=1 pki and then return W-VfHu,~u(PK,M, (σ, ρ)). This scheme was proven secure using

the KOSK assumption in [28].

The WM-Pop protocol. Let w,w1, . . . , wn$← Gn+1

1 be global parameters with associated hashfunction Hw,~w. These parameters require trusted setup, particularly because the CA should notknow their discrete logs. (One might therefore have the trusted party that runs W-Pg also generatew, ~w.) We define the following key registration protocol WM-Pop = (WM-PopP,WM-PopV): Algo-rithm WM-PopP takes as input (pk, sk) and sends pk || (π,$) where (π,$) = W-SignHw,~w(sk, 〈pk〉n).Algorithm WM-PopV receives pk || (π,$) and then runs W-VfHw,~w(pk, 〈pk〉n, (π,$)) and if the re-sult is 1, replies with pk and else replies with ⊥. The following theorem combined with [28, Theorem2] (security of WMS under the KOSK assumption) establishes the security of WMS under WM-Pop.

Theorem 4.2 Let A be an msuf-kr-adversary, with respect to the WM-Pop protocol, that runs intime t, makes qs multisignature queries, qk registration queries, and outputs a forgery for a groupof size at most v. Then there exists an adversary B such that

Advmsuf-krWMS,WM-Pop(A) ≤ Advmsuf-kr

WMS,Kosk(B)

and where B runs in time t + O(ntE + (tE + tψ)qk) and makes qs signature queries.

Proof: Let A be a legitimate adversary against WMS. Like in the proof for BMS, we note that forthe scheme WMS, a multisignature session oracle is equivalent to a Waters signature signing oraclefor the trusted party. We therefore deal with the latter, which is simpler.

We wish to construct an adversary B which uses A to create a forgery against the WMS mul-tisignature scheme with the Kosk key registration protocol. Adversary B will receive as inputsystem parameters (h, g, u, u1, . . . , um) and target public key pk∗, where h is a generator of G1,u, u1, . . . , um are all elements of G1, g is a generator of G2, and pk∗ = gα for some random α ∈ Zp.The adversary is also given a signing oracle OMSign-B and a key registration oracle OKReg-B.Its goal is to produce a valid multisignature forgery which verifies under some set of keys thatincludes pk∗. Since A is an adversary against WMS with WM-Pop key registration, it must takeadditional input w, ~w (for key registration) and B must simulate for it a signing oracle OMSign-Aand a key registration oracle OKReg-A. The adversary B operates as follows:

• Let g1 = ψ(g). Choose z, z1, . . . , zn$← Zn+1

p and let (w,w1, . . . , wn)← (gz1 , gz11 , . . . , g

zn1 ). Choose

s$← Zp. Run the WMS multisignature adversary A on input pk = pk∗, par = (h, g, u, ~u, w, ~w).

13

• On oracle query OMSign-A(Mi) from A, query OMSign-B(Mi). Upon receiving a signature(σi, ρi), forward it back to A.

• When A queries OKReg-A(pki, (πi, $i)), let ski ← πi/ψ($i)z+Pn

j=1 zj ·〈pki〉[j]. Then queryOKReg-B(pki, ski).

• When A outputs an attempted forgery (V,M, (σ, ρ)), output (V,M, (σ, ρ)).

We now show that whenever A forges against the WMS multisignature scheme with WM-Pop keyregistration, B forges against the WMS mulsignature scheme with Kosk key registration (WMS wasproven secure under the KOSK assumption in [28]). To do this we first claim that B perfectlysimulates the environment for A. This is clear since the public key and system parameters given toA directly correspond to the public key and parameters given to B (namely h, g, u, u1, . . . , un) andthus the sign oracle provided by B is correct. Since B forwards all of A’s sign oracle queries to theenvironment and B makes no other sign oracle queries, it is also clear that if A did not query itsforgery message to the sign oracle provided by B, then B also did not query its sign oracle on thatmessage. Lastly, we show that every time A sends a valid POP to the registration oracle providedby B, B is able to ‘extract’ the secret key to send to its own Kosk registration oracle. To see thisrecall that a valid POP (πi, $i) for key pki is such that

e(h, pki) · e(Hw,~w(〈pki〉n), $i) = e(πi, g). (10)

Also, note that (pki, ski) is a valid key pair if and only if

e(ski, g) = e(h, pki). (11)

Now, rearranging equation 10:

e(h, pki) =e(πi, g)

e(Hw,~w(〈pki〉n), $i)

=e(πi, g)

e(gz+

Pnj=1 zj〈pki〉[j]

1 , $i)

=e(πi, g)

e(ψ($i)z+Pn

j=1 zj〈pki〉[j], g)

= e(πi · (ψ($i)z+Pn

j=1 zj〈pki〉[j])−1, g)

= e(ski, g)

which from equation 11 means that (pki, ski) is a valid key pair. This shows that each timeadversary A is able to register a key, B is able to ‘extract’ the corresponding secret key and use itfor KOSK key registration.

Now, whenever A forges, it must have properly registered the keys used in the forgery. Since wejust showed that a proper key registration by A equates to a proper key registration for B, it followsthat whenever A forges, B also forges. So,

Advmsuf-krWMS,WM-Pop(A) ≤ Advmsuf-kr

WMS,Kosk(B).

In addition to running A, B must must perform one isomorphism and n + 1 exponentiationsbefore starting A, plus qk isomorphisms and qk exponentiations. Thus the running time of B ist+O(ntE + (tE + tψ) · qk) where t is the running time of A.

14

4.3 Attacks against Standardized Key Registration Protocols

We show how the standardized proof-of-possession based key registration protocols (as per PKCS#10[35] and RFCs 4210/4211 [1, 36]) fail to prevent rogue key attacks. Let BadPop = (BadP,BadV) bethe standardized key registration protocol for BMS and let the algorithms be as follows: AlgorithmBadP, on input (pk, sk) sends pk || B-SignH(sk, 〈pk〉) and algorithm BadV, upon receiving (pk, π),runs B-VfH(pk, 〈pk〉, π) and replies with pk if the result is 1 and ⊥ otherwise. Here H is the samehash function as used in B-MSign and B-MVf.

We define a simple msuf-kr adversaryA that successfully mounts a rogue-key attack against BMSwith respect to the BadPop registration protocol. Adversary A gets the honest party’s public key pk∗

which is equal to gsk∗. It then chooses s $← Zp. Its public key is set to pk = gs/pk∗ = gs−sk

∗. The

forgery on any message M and multiset {pk∗, pk} is simply H(M)s, which clearly verifies under thetwo public keys given. Now to register its key, the adversary makes the query OMSign({pk∗}, 〈pk〉),receiving σ = H(〈pk〉)sk∗ . Then A sets π ← H(〈pk〉)s/σ and registers with pk || π. It is easy to seethat this verifies, and thus A can always output a multisignature forgery: its msuf-kr advantage isone.

An analogous key registration protocol could be defined for WMS, and again a simple attackshows its insecurity. Both approaches fall to attacks because the signatures used for key registra-tion and normal multisignatures are calculated in the same manner. This motivated our simpledeviations from standardized registration protocols for the B-Pop and WM-Pop protocols.

4.4 Other POP Variants

Another class of POP-based registration protocols for signature schemes has the CA send a randomchallenge to the registrant. The registrant must then supply a signature over the challenge message.Our results also apply to such protocols.

We first show that requiring a signature over a random challenge has the exact same pitfalls asrequiring a signature of the key being registered. Let BadRCPop = (BadRCP,BadRCV) be a randomchallenge key registration protocol for BMS with its algorithms as follows: algorithm BadRCP, oninput (pk, sk) sends pk to the CA; algorithm BadRCV receives pk and replies with a random stringc ∈ {0, 1}n; BadRCP receives c and replies with π = B-SignH(sk, c); finally BadRCV receives πand outputs pk if B-VfH(pk, c, π) = 1 and ⊥ otherwise. Hash function H is the same one used inB-MSign and B-MVf.

As before, there is a simple msuf-kr adversary A that can mount a rogue-key attack againstBMS with this registration protocol. Adversary A gets the honest party’s public key pk∗ which isequal to gsk

∗. It then chooses s $← Zp. Its public key is set to pk = gs/pk∗ = gs−sk

∗. The forgery

on any message M and multiset {pk∗, pk} is simply H(M)s. To register its key, the adversarymust sign some random challenge c with the rogue key. To do this, the adversary, upon receivingc, makes the query OMSign({pk∗}, c) and receives σ = H(c)sk

∗. Then A sets π ← H(c)s/σ and

sends π as its response.To prevent the attack above, we again can use a distinct hash function for signing and key

registration. To adapt the proof of Theorem 4.1 to the setting with random challenge key registra-tion, the adversary B simply needs to compute γi ← α − B[ci], where ci is the random challengegiven when pki was registered. The rest of the proof is the same. The proof of Theorem 4.2 canbe similarly modified. The reason that this works is that the proof of security does not depend onthe choice of string signed in the proof of possession, as long as the string is known to the CA.

15

Experiment Expranon-ind-bRS (A)

par$← RPg

Run A(par) handling oracle queries as followsORSignLR(S,V,M), where S = (sk0, sk1); V = pk0, . . . , pkv−1; (pk0, sk0), (pk1, sk1) valid:

Ret RSignskb(V,M)

A outputs b′

Ret b′

Figure 4: Ring signature anonymity experiment.

5 Ring Signatures in the Registered Key Model

A ring signature scheme RS = (RPg,RKg,RSign,RVf) consists of four algorithms. The parametergeneration algorithm generates a parameter string par, which is published globally. The key gener-ation algorithm RKg outputs a key pair (pk, sk). The algorithm RSignsk(V,M) ≡ RSign(sk,V,M)generates a ring signature on input a secret key sk, a message M, and a multiset of public keys Vsuch that there exists pk ∈ V for which (pk, sk) is a valid key pair. We further assume that |V| ≥ 2.Note that we do not require that all elements in V be distinct.1 Lastly the verification algorithmRVf(V,M, σ) outputs a bit. We require that RVf(V,M,RSignsk(V,M)) = 1 for any message M ,any valid multiset of public keys, and for any valid sk with a pk ∈ V. Ring signatures that onlyallow rings of size exactly κ are called κ-user ring signatures.

5.1 Ring Signature Definitions

New anonymity definition. We propose a stronger definition of anonymity than those given byBender et al. [10]. Intuitively, our definition requires that no adversary should be able to tell whatsecret key was used to generate a ring signature, even if the adversary itself chooses the secret keysinvolved. Formally, let A be an adversary and RS = (RPg,RKg,RSign,RVf) be a ring signaturescheme. Then we define the ranon-ind advantage of an adversary A by

Advranon-indRS (A) = Pr

[Expranon-ind-0

RS (A)⇒ 1]− Pr

[Expranon-ind-1

RS (A)⇒ 1]

where the experiment Expranon-ind-bRS (A) is defined in Figure 4. We say a scheme is perfectly r-anon-

ind anonymous if the advantage of any adversary is zero.The ranon-ind definition is stronger than the strongest definition given in [10] (see Appendix A

for details). Even so, it is easy to see that (for example) both of the 2-user ring signature schemesfrom [10] meet it, and are, in fact, perfectly ranon-ind anonymous.

Unforgeability definitions. We expand the unforgeability definitions given in [10], drawing adistinction between attacks where honest parties can be corrupted and rogue-key attacks (wherethe adversary can choose public keys). We also lift the strongest unforgeability definition to theregistered key model. Fix some number η, representing the number of trusted potential honestsigners. Let RS = (RPg,RKg,RSign,RVf) be a ring signature scheme and Reg = (RegP,RegV) be aregistration protocol. Then we define the advantages

1This generalizes previous treatments, e.g. [10]. While a ring signature over a ring with duplicates is equivalentsemantically to one over a ring with all duplicates removed, there is no intrinsic reason not to allow duplicates, andthus we would like definitions to capture this generalization. Of course a particular scheme could require distinctpublic keys, for example by removing duplicates before signing.

16

Experiment Expruf3-krRS,Reg(A)

par$← RPg; For i = 1 to η do (pki, ski)

$← RKg(par)Q ← C ← R← ∅; S ← {pki | i ∈ {1, . . . , η}}Run A(par, (pki)

η1) handling oracle queries as follows

ORSign(s,V,M), where s ∈ [1 .. η] and pks ∈ V:Q ∪← (V,M); If (V \ S ) \ R 6= ∅ then Ret ⊥Ret RSignsks

(V,M)OCorrupt(i), where i ∈ [1 .. η]: C ∪← i; Ret skiOKReg: Simulate a new instance of algorithm RegV, forwarding messages to and

from A. If the instance’s last message is pk 6= ⊥, then R ∪← pk.A outputs (P,M, σ)V = {pki | i ∈ P}If RVf(V,M, σ) = 1 ∧ ( (V,M) /∈ Q ) ∧ (P ∩ C = ∅ ) ∧ (P\{1, . . . , η} = ∅ ) then Ret 1Ret 0

Figure 5: Ring signature unforgeability experiment in the registered key model. The ruf2 experi-ment is derived by omitting the OKReg oracle. The ruf1 experiment is derived by omitting boththe OKReg and OCorrupt oracles.

• Advruf3-krRS,Reg(A) = Pr[Expruf3-kr

RS,Reg(A) ⇒ 1] (rogue-key attacks, equivalent to Definition 7 in [10]when Reg = Plain)

• Advruf2RS (A) = Pr[Expruf2

RS (A)⇒ 1] (corruption attacks, similar to a definition in [21])• Advruf1

RS (A) = Pr[Expruf1RS (A)⇒ 1] (chosen subring attacks, Definition 6 in [10])

where the Expruf3-krRS,Reg(A) experiment is defined in Figure 5 and the others are as follows. Experiment

Expruf2RS (A) is defined by the experiment in Figure 5 except with the OKReg oracle omitted.

Experiment Expruf1RS (A) is defined by the experiment in Figure 5 except both the OCorrupt and

OKReg oracles are omitted. Note that we have not excluded the possibility that duplicate publickeys are generated by the experiment2, and in particular V and S might both be multisets in theexperiments. (This better reflects the independent nature of key generation by users, who cannotnecessarily be trusted to ensure all public keys generated are unique.) On the other hand, P mustnot have duplicates.

We also define a variant of the ruf3-kr security definition, which pertains to fixed-ring adver-saries. These are adversaries which must forge against some ring of public keys selected by theenvironment. Let ν ≥ 2 and assume that RS supports rings of size ν. Define the experimentExpruf3-kr-fr

RS,Reg (A) by the code for Expruf3-krRS,Reg(A) in Figure 5 except with the following changes: η is

everywhere replaced by ν; the forgery output (P,M, σ) must have P = {1, . . . , ν}; and the (nowuseless) OCorrupt oracle is omitted. We define the ruf3-kr-fr advantage of an adversary A by• Advruf3-kr-fr

RS,Reg (A) = Pr[Expruf3-kr-fr

RS,Reg (A)⇒ 1]

For κ-user schemes necessarily ν = κ. Note that in [10] a similar fixed-ring definition is given, butit does not allow rogue-keys attacks.

An adversary A is legitimate if: (1) all queries to ORSign(s,V,M) are such that s ∈ {1, . . . , η};pks ∈ V; and (V\S)\R = ∅; (2) all queries to OCorrupt(i) are such that i ∈ {1, . . . , η} and A never

2This formalization implies that for a scheme to be secure against ruf2 and ruf3-kr adversaries, it must ensurethat honestly generated keys are duplicates only with low probability. If there exists pki = pkj for i 6= j then suchan adversary can simply corrupt i and then forge against j and some other party using ski.

17

repeats a query i to OCorrupt; and (3) A only outputs tuples (P,M, σ) for which P\{1, . . . , η} = ∅(all indices in P are distinct and in the range [1 .. η]) and P ∩ C = ∅ and (V,M) /∈ Q. Without lossof generality, we will from now on only consider legitimate adversaries.

5.2 Unforgeability Implications for κ-user Schemes

In this section we focus on κ-user ring signature schemes, giving two results. The first is thatfor κ-user ring signatures meeting the ranon-ind anonymity definition, security against corruptionattacks is implied by security against chosen subring attacks. This shows that (for these schemes)the ability to corrupt parties offers little benefit to adversaries. The second result shows that κ-user schemes secure against fixed-ring rogue-key attacks are also secure against general rogue-keyattacks. Both results will be useful for establishing the security of schemes against rogue-key attackswhen key registration protocols are utilized (as discussed in the next two sections). Additionally,the lemmas could be of independent interest.

Corruptions don’t help. We now state and prove a lemma which states that the ability tocorrupt parties is of limited usefulness to adversaries attacking κ-user ring signature schemes.

Lemma 5.1 Let RS = (RPg,RKg,RSign,RVf) be a κ-user ring signature scheme. Let η ≥ κ. andlet A be an ruf2 adversary that makes at most qs signature queries, at most qc corruption queries,and runs in time at most t. Then there exist adversaries Ba and Bu such that

Advruf2RS (A) ≤

(η

κ

)Advranon-ind

RS (Ba) +(η

κ

)Advruf1

RS (Bu)

where Ba and Bu uses at most qs queries and run in time at most t+O(qc+(qs+η+1)Time(RS)).

Proof: Let A be a legitimate ruf2 adversary. We build a legitimate ruf1 adversary Bu that uses A.See Figure 6. The adversary Bu is given inputs a parameter string and set of honestly-generatedpublic keys and access to a signing oracle denoted by ORSign-1. Recall that this oracle, whichcorresponds to the ruf1 experiment, does not allow queries on adversarially-generated public keys.Adversary Bu first selects a set of indices K that represent its guess of which parties will not becorrupted by A. Then, a new set of keys is generated by Bu. For every index in K the real keyis used. For all others, Bu generates its own public key, secret key pair. Adversary A is run usingthe resulting multiset of public keys. (A is given a sequence of keys such that the ith key in thesequence corresponds to pki). Signing queries ORSign-2(s,V,M) from A are simulated in one oftwo ways. If the keys in V correspond to the guessed subset, then Bu utilizes its own oracle torespond. Otherwise, one of the keys that Bu generated itself is used to answer the query. Thestatement “Let j ∈ [1 .. η]\K be s.t. pkj ∈ V” means find a (e.g., the first) key pkj that is bothin V and in the set of public keys generated by Bu. For corruption queries, if the index queriedis not in K then the appropriate secret key is returned (in this case B generated the key itself).Otherwise ⊥ is returned. Note that by the legitimacy of A and the manner in which signing queriesare handled Bu is also legitimate.

We now proceed through a game-playing sequence to lower bound the advantage of Bu in termsof the advantage of A and, as we’ll see, an ranon-ind adversary Ba. Game G0 represents the firstgame, see Figure 6. It is equivalent to the adversary Bu except that it generates the parameterstring and honest public keys itself and answers ORSign queries for the chosen set of public keysdirectly. Since the outputs of G0 and Bu are distributed equivalently and Bu forges anytime itdoesn’t output ⊥, we have

Advruf1RS (Bu) = Pr [G0(A) ; ⊥] . (12)

18

Adversary Bu(par, (pki)η1):

K$← Pκ({1 .. η})

For i = 1 to η doIf i /∈ K then (pk′i, sk

′i)← RKg(par)

Else pk′i ← pkiT ← {pki | i ∈ K}Run A(par, (pk′i)

η1), answering queries by:

query ORSign-2(s,V,M)If V = T then Ret ORSign-1(s,V,M)Let j ∈ {1 .. η}\K be s.t. pkj ∈ VRet RSignsk′j (V,M)

query OCorrupt(i)sk ← ⊥If i /∈ K then sk ← sk′iElse bad← trueRet sk

A finishes, outputing (P,M, σ)If P 6= K then bad← trueφ← ⊥; V = {pki | i ∈ P}If RVf(V,M, σ) = 1 then

If bad 6= true then φ← (P,M, σ)Ret φ


par$← RPg

For i = 1 to η do (pki, ski)$← RKg(par)

K$← Pκ({1 .. η})

For i = 1 to η doIf i /∈ K then (pk′i, sk

′i)← RKg(par)

Else pk′i ← pkiT ← {pki | i ∈ K}Ret (par, (pk′i)

η1)

procedure ORSign-2(s,V,M)If V = T then Ret RSignsks

(V,M)Let j ∈ {1 .. η}\K be s.t. pkj ∈ VRet RSignsk′j (V,M)

procedure OCorrupt(i)sk ← ⊥If i /∈ K then sk ← sk′iElse bad← trueRet sk

procedure Finalize(P,M, σ)If P 6= K then bad← trueφ← ⊥; V = {pki | i ∈ P}If RVf(V,M, σ) = 1 then


Figure 6: Adversary Bu and game G0 used in proof of Lemma 5.1.

Game G1 is shown in Figure 7. It is the same as G0 except that we simplify the initializationprocedure to just pick one set of η key pairs. The view of the adversary is equivalent, since all keysare distributed as before. Thus

Pr [G0(A) ; ⊥] = Pr [G1(A) ; ⊥] . (13)

Game G2 modifies the ORSign procedure of G1: in all cases the secret key associated with theindex s is used to answer the response. Otherwise the games are identical. To bound the lossincurred by this game transition, we build an ranon-ind adversary Ba. This adversary will haveadvantage related to the ability of A to force the output of G1(A) to differ from the output of G2(A).Figure 7 depicts the adversary. It utilizes its ORSignLR oracle to help answer A’s ORSign-2queries and returns a one whenever A’s forgery is successful and bad is not set. We have that

Advranon-indRS (Ba) = Pr

[Expranon-ind-1

RS (Ba)⇒1]− Pr

[Expranon-ind-0

RS (Ba)⇒1]. (14)

Note that if Ba is run in the ranon-ind-1 experiment, then the secret key sks is always utilizedto answer Ba’s oracle queries. Thus Ba returns a one whenever G2(A) does not output ⊥,and so we have that Pr

[Expranon-ind-1

RS (Ba)⇒ 1]

= Pr [G2(A) ; ⊥]. Similarly, if Ba is run inthe ranon-ind-0 experiment, then the secret key skj is always used to answer Ba’s queries. SoPr

[Expranon-ind-0

RS (Ba)⇒ 1]

= Pr [G1(A) ; ⊥]. Substituting back into (14) and re-arranging we

19

procedure Initialize G1, G2

par$← RPg


K$← Pκ({1 .. η})

T ← {pki | i ∈ K}Ret (par, (pki)

η1)

procedure ORSign-2(s,V,M) G1If V = T then Ret RSignsks

(V,M)Let j ∈ {1 .. η}\K be s.t. pkj ∈ VRet RSignskj

(V,M)

procedure OCorrupt(i) G1, G2sk ← ⊥If i /∈ K then sk ← skiElse bad← trueRet sk

procedure Finalize(P,M, σ) G1, G2If P 6= K then bad← trueφ← ⊥; V = {pki | i ∈ P}If RVf(V,M, σ) = 1 then


procedure ORSign-2(s,V,M) G2If V = T then Ret RSignsks

(V,M)Let j ∈ {1 .. η}\K be s.t. pkj ∈ VRet RSignsks

(V,M)

Adversary Ba(par):

par$← RPg


K$← Pκ({[1 .. η})

T ← {pki | i ∈ K}Run A(par, (pki)


query ORSign-2(s,V,M)If V = T then Ret RSignsks

(V,M)Let j ∈ {1 .. η}\K be s.t. pkj ∈ VRet ORSignLR({skj , sks},V,M)

query OCorrupt(i)sk ← ⊥If i /∈ K then sk ← skiElse bad← trueRet sk

A halts with output (P,M, σ)If P 6= K then bad← trueφ← ⊥; V = {pki | i ∈ P}If RVf(V,M, σ) = 1 then

If bad 6= true then φ← (P,M, σ)If φ 6= ⊥ then Ret 1Ret 0

Figure 7: Games G1 and G2 and adversary Ba used in the proof of Lemma 5.1. Game G2 utilizesthe same Initialize, OCorrupt, and Finalize procedures as G1.

have that

Pr [G1(A) ; ⊥] = Pr [G2(A) ; ⊥]−Advranon-indRS (Ba) . (15)

Game G3 (Figure 8, boxed statements omitted) simplifies the ORSign-2 oracle: the code is dif-ferent but it implements the same functionality as in G2. As a result of this change, the game nolonger requires T , thus we omit it from Initialize.

Pr [G2(A) ; ⊥] = Pr [G3(A) ; ⊥] . (16)

Let Goodi be the event that Gi(A) does not set bad. Then we have by (16) that

Pr [G2(A) ; ⊥] = Pr [G3(A) ; ⊥] ≥ Pr [G3(A) ; ⊥ ∧ Good3] .

Game G4 includes the boxed statements, which assist it in answering ORSign-2 queries and ensurethat G4 only outputs ⊥ if A failed to produce a valid forgery. Games G3 and G4 are identical-until-bad. By a variant [6] of the fundamental lemma of game-playing [9] we have that


20

procedure Initialize G3 G4

par$← RPg


K$← Pκ({1 .. η})

Ret (par, (pki)η1)

procedure ORSign-2(s,V,M)Ret RSignsks

(V,M)

procedure OCorrupt(i)sk ← ⊥If i /∈ K then sk ← skiElse bad← true ; sk ← skiRet sk


If bad 6= true then φ← (P,M, σ)Else φ← (P,M, σ)

Ret φ


par$← RPg


K$← Pκ({1 .. η})

Ret (par, (pki)η1)


(V,M)

procedure OCorrupt(i)If i ∈ K then bad← trueRet ski

procedure Finalize(P,M, σ)If P 6= K then bad← trueφ← ⊥; V = {pki | i ∈ P}If RVf(V,M, σ) = 1 then φ← (P,M, σ)Ret φ


par$← RPg


Ret (par, (pki)η1)


(V,M)

procedure OCorrupt(i)Ret ski

procedure Finalize(P,M, σ)

K$← Pκ({1 .. η})

If P 6= K then bad← trueφ← ⊥; V ← {pki | i ∈ P}If RVf(V,M, σ) = 1 then φ← (P,M, σ)Ret φ

Figure 8: Games G3, G4, G5, and G6 used in the proof of Lemma 5.1. Game G3 does not includethe boxed statements, while G4 includes them.

21

Game G5 simplifies G4 in light of always answering corruption queries and always outputing asuccessful forgery by A. These changes do not change the implemented functionality of proceduresOCorrupt and Finalize, so Pr [G4(A) ; ⊥ ∧ Good4] = Pr [G5(A) ; ⊥ ∧ Good5]. Note that ingame G5 anytime bad is set within OCorrupt, necessarily P 6= K during Finalize. This is becauseA is legitimate, implying that the set P it outputs does not contain any indices previously queried toOCorrupt. Thus, if bad is set in OCorrupt for an index i ∈ K, then i /∈ P and so K 6= P. GameG6 therefore dispenses with the (now redundant) setting of bad in OCorrupt and additionallymoves the choice of K to the Finalize procedure (they are no longer used elsewhere in the game).We have already justified that these changes are without loss, thus Pr [G5(A) ; ⊥ ∧ Good5] =Pr [G6(A) ; ⊥ ∧ Good6].

In game G6 we note that, in fact, the events Good6 and G6(A) ; ⊥ are independent. Althoughthe setting of bad and G6(A) ; ⊥ both rely on the adversary’s choice of P, the probability thatbad is set for any set P is the same, meaning that the event Good6 is independent of a particularchoice of P, and hence of G6(A) ; ⊥. Thus we have

Pr [G6(A) ; ⊥ ∧ Good6] = Pr [G6(A) ; ⊥] · Pr [Good6] =(η

κ

)−1

· Pr [G6(A) ; ⊥]

where the last equation comes from noting that bad is not set if K is chosen to be the set of indicesused in the forgery.

Finally we have that G6(A) is equivalent to Expruf2RS (A), giving that Pr [G6(A) ; ⊥] = Advruf2

RS (A).Collecting all the previous game transitions we have that

Pr [G0(A) ; ⊥] = Pr [G1(A) ; ⊥]

= Pr [G2(A) ; ⊥]−Advranon-indRS (Ba)

≥ Pr [G3(A) ; ⊥ ∧ Good]−Advranon-indRS (Ba)

= Pr [G4(A) ; ⊥ ∧ Good]−Advranon-indRS (Ba)



= Pr [Good] · Pr [G6(A) ; ⊥]−Advranon-indRS (Ba)

=(η

κ

)−1

·Advruf2RS (A)−Advranon-ind

RS (Ba)

which, combined with (12), implies the lemma statement.The running times of both Bu and Ba includes the time to run A plus the overhead associated

with setting up the additional public keys and answering oracle queries.

Fixed versus arbitrary ring security. The next lemma states that any κ-user ring signaturescheme secure against rogue-key adversaries forging against a particular, fixed ring are also secureagainst the more general ruf3-kr adversaries. This lemma will be useful for simplifying the proofof Theorem 5.4, but we expect that it is also of independent interest.

Lemma 5.2 Let RS = (RPg,RKg,RSign,RVf) be a κ-user ring signature scheme and let Reg =(RegP,RegV) be a registration protocol. Let η ≥ κ. Let A be an ruf3-kr adversary making at mostqs signing queries, at most qc corruption queries, at most qk key registration queries, and runningin time at most t. Then there exists an ruf3-kr-fr adversary B such that

Advruf3-krRS,Reg(A) ≤

(η

κ

)Advruf3-kr-fr

RS,Reg (B)

22

Adversary B(par, (pki)κ1)):

K$← Pκ({1 .. η})

j ← 1For i = 1 to η do

If i /∈ K then(pk′i, sk

′i)← RKg(par)

Register pk′i using OKReg-BElse pk′i ← pkj ; I[i]← j; j ← j + 1

Run A(par, (pk′i)η1), answering queries by:

query ORSign-A(s,V,M)If s ∈ K then Ret ORSign-B(I[s],V,M)Ret RSignsk′s(V,M)

query OCorrupt(i)sk ← ⊥If i 6∈ K then sk ← sk′iElse bad← trueRet sk

A finishes, outputing (P,M, σ)If P 6= K then bad← trueφ← ⊥; V = {pki | i ∈ P}If RVf(V,M, σ) = 1 then

If bad 6= true then φ← ({1, . . . , κ},M, σ)Ret φ


par$← RPg

For i = 1 to κ do (pki, ski)$← RKg(par)

K$← Pκ({1 .. η})

For i = 1 to η doIf i /∈ K then

(pk′i, sk′i)← RKg(par)

Else pk′i ← pkj ; I[i]← j; j ← j + 1Ret (par, (pk′i)

η1)

procedure ORSign-A(s,V,M)If s ∈ K then sk ← skI[s]; Ret RSignsk(V,M)Ret RSignsk′s(V,M)

procedure OCorrupt(i)sk ← ⊥If i 6∈ K then sk ← sk′iElse bad← trueRet sk


If bad 6= true then φ← ({1, . . . , κ},M, σ)Ret φ

Figure 9: Adversary B and game G0 used in proof of Lemma 5.2.

where B runs in time at most t+O(qc+(η+ qs)Time(RS)) and uses at most qs signing queries andat most qk + η − κ registration queries.

Proof: The proof is similar in spirit to the proof of Lemma 5.1. Let A be a legitimate ruf3-kradversary. We build a legitimate ruf3-kr-fr adversary B that uses A. See Figure 9. The adversary Bis given inputs a parameter string and a ring of size κ that it must forge against. Adversary Bhas access to a signing oracle denoted by ORSign-B and a key registration oracle OKReg. Herethe ORSign-B oracle allows queries on (registered) adversarially-chosen keys, as per the ruf3-krexperiment. Adversary B first selects a set of indices K that represent its guess of which partieswill be forged against by A. Then, a new set of keys are generated by B. For every index in Kone of the target keys is used. For all others, B generates its own public key, secret key pair andregisters it as a rogue key using its OKReg-B oracle. Adversary A is run using the full set of ηpublic keys. The table I is used to map between the indices in the set of public keys given to Aand the indices in the set of public keys given to B. Signing queries ORSign-A(s,V,M) from Aare simulated in one of two ways. If the signing key is one of the target keys, then B queries itsORSign-B oracle and returns the result. Otherwise the signing key must be one of those generatedby B initially, and so B uses it to generate the requested ring signature. For corruption queries, ifthe index queried is not in K then the secret key is returned (in this case B knows the secret key).Otherwise ⊥ is returned. Key registration invocations, which aren’t explicitly shown in the figure

23


par$← RPg


K$← Pκ({1 .. η})

Ret (par, (pk′i)η1)

procedure ORSign-A(s,V,M)Ret RSignsks

(V,M)

procedure OCorrupt(i)sk ← ⊥If i /∈ K then sk ← skiElse bad← trueRet sk



Figure 10: Game G1 used in the proof of Lemma 5.2.

for brevity, are just forwarded to B’s OKReg-B oracle.We now proceed through a game-playing sequence to lower bound the advantage of B in terms

of the advantage of A. Game G0 represents the first game, see Figure 6. It is equivalent to theadversary B except that it generates the parameter string and honest public keys itself and answersORSign-A queries with s ∈ K directly via computing RSign. It dispenses with the registrationof the public keys it generates, which is no longer necessary since the game now also simulatesthe environment. Key registration queries made by A are handled by simulating a new instanceof RegV (this is not shown in Figure 9 for brevity, nor will it be shown in the rest of the games asit never changes). Since the outputs of G0(A) and B are distributed equivalently and B forges anytime it doesn’t output ⊥, we have

Advruf3-kr-frRS (B) = Pr [G0(A) ; ⊥] . (18)

Game G1 (Figure 10, boxed statements omitted) simplifies the Initialize procedure by pickingone set of η public keys. This means that the table I is no longer needed, and thus omitted.The ORSign-A oracle is thus written more simply; the new code implements the same function-ality as the ORSign-A oracle of G0. The Finalize procedure outputs (P,M, σ) as opposed to({1, . . . , κ},M, σ) in G0, but this does not change the probability with which the game outputs ⊥.We have that

Pr [G0(A) ; ⊥] = Pr [G1(A) ; ⊥] . (19)

The rest of the game sequence (what would be games G1—G4) is similar to the sequence G3—G6used in the proof of Lemma 5.1 (except for the implicit key registration oracle), see Figure 8. Wetherefore omit the next 4 games and their analysis, which can be easily adapted from the games

24

and analysis in the proof of Lemma 5.1. We conclude that

Pr [G1(A) ; ⊥] ≥(η

κ

)−1

·Advruf3-krRS,Reg(A)

which combined with (18) and (19) implies the lemma statement.The running time of B is equal to the running time of A plus the overhead of initializing the

public keys and answering oracle queries, leading to the time bound given in the lemma statement.

5.3 KOSK Improves Unforgeability Guarantees

Using the key registration protocol Kosk, any scheme that is unforgeable with respect to corruptionattacks (ruf2) and meets our strong definition of anonymity is also secure against rogue-key attacks(ruf3-kr). Note that this result (unlike those in the last section) applies to any ring signaturescheme, not just κ-user ring signature schemes.

Theorem 5.3 Fix η and let RS = (RPg,RKg,RSign,RVf) be a ring signature scheme. Let A be anruf3 adversary with respect to the Kosk protocol that makes at most qs signature queries, at mostqc corruption queries, at most qk registration queries, and runs in time at most t. Then there existadversaries Ba and Bu such that

Advruf3-krRS,Kosk(A) ≤ Advranon-ind

RS (Ba) + Advruf2RS (Bu)

where Ba and Bu both run in time at most t + O(qk + qc + (qs + η + 1)Time(RS)) and make atmost qs sign queries and at most qc corrupt queries.

Before proceeding to the proof we point out that one can apply Lemma 5.1 and then Theorem 5.3 tothe two 2-user ring signature schemes from Bender et al., rendering them secure against rogue-keyattacks when Kosk is used for key registration. Now we prove Theorem 5.3.

Proof: Let A be a legitimate ruf3 adversary with respect to the Kosk key registration protocol. Inthis case the key registration oracle registers the public key of any valid (pk, sk) pair queried by A.We can assume without loss of generality that A never queries its registration oracle with a pair(pk, sk) that is not a valid key pair. We specify a legitimate ruf2 adversary Bu, shown in Figure 11,that takes input a parameter string and set of public keys and has access to a ruf2 signing oracle(denoted ORSign-2). It utilizes a table P to record the secret keys registered for adversarially-chosen public keys (initially, P is everywhere undefined). Adversary Bu runs A and responds to A’ssigning queries in one of two ways. If all the public keys in the query are ones generated by theenvironment, then Bu uses its ORSign-2 oracle to generate the response. Otherwise, it uses thesecret key registered for one of the adversarially-chosen public keys (say, the lexicographically first)to answer the query. Since A is legitimate, any adversarially-chosen public key used in a signingquery must first have been registered. Adversary Bu is legitimate because A is legitimate andbecause Bu never queries its ORSign-2 oracle with a set of public keys including rogue keys.

We specify a game G0 in Figure 11 which is just like Bu, except that it runs the parameterstring and the public key, secret key generation algorithms itself and answers ORSign-3 andOCorrupt-3 queries directly. Its output is distributed identically to Bu and Bu forges anytime itsoutput is not ⊥. Thus

Advruf2RS (Bu) = Pr [G0(A) ; ⊥] . (20)

Game G1 combines the Initialize, OCorrupt, OKReg, and Finalize procedures of G0 with theORSign-3 procedure (labeled G1) shown in Figure 11. In G1 sks is always utilized to generate

25

Adversary Bu(par, (pki)η1)

S ← {pk1, . . . , pkη}Run A(par, (pki)


query ORSign-3(s,V,M)If V ⊆ S then Ret ORSign-2(s,V,M)Let pk be s.t. pk ∈ V\SRet RSignP[pk](V,M)

query OCorrupt-3(i)Ret OCorrupt-2(i)

query OKReg(pk, sk)P[pk]← skReturn pk

A finishes, outputing (P,M, σ)V ← {pki | i ∈ P}If RVf(V,M, σ) = 1 then Ret (P,M, σ)Ret ⊥

procedure ORSign-3(s,V,M) G1If V ⊆ S then Ret RSignsks

(V,M)Let pk be s.t. pk ∈ V\SRet RSignsks

(V,M)

Adversary Ba(par, (pki)η1)):



query ORSign-3(s,V,M)If V ⊆ S then Ret RSignsks

(V,M)Let pk be s.t. pk ∈ V\SRet ORSignLR({P[pk], sks},V,M)

query OCorrupt-3(i)Ret ski

query OKReg(pk, sk)P[pk]← skReturn pk

A finishes, outputing (P,M, σ)V ← {pki | i ∈ P}If RVf(V,M, σ) = 1 then Ret 1Ret 0

procedure Initialize: G0, G1

par$← RPg




procedure ORSign-3(s,V,M) G0If V ⊆ S then Ret RSignsks

(V,M)Let pk be s.t. pk ∈ V\SRet RSignP[pk](V,M)

procedure OCorrupt-3(i) G0, G1Ret ski

procedure OKReg(pk, sk) G0, G1P[pk]← skReturn pk

procedure Finalize(P,M, σ) G0, G1V ← {pki | i ∈ P}If RVf(V,M, σ) = 1 then Ret (P,M, σ)Ret ⊥

procedure Initialize: G2

par$← RPg





(V,M)

procedure OCorrupt-3(i)Ret ski

procedure OKReg(pk, sk)P[pk]← skReturn pk

procedure Finalize(P,M, σ)V ← {pki | i ∈ P}If RVf(V,M, σ) = 1 then Ret (P,M, σ)Ret ⊥

Figure 11: Games and adversaries used in the proof of Theorem 5.3. Game G1 (resp. G2) is fullyspecified by replacing the ORSign-3 procedure of G0 with the ORSign-3 labeled with G1 (resp.G2).

26

responses to signing queries. To bound the loss due to this change, we build an ranon-ind ad-versary Ba and will relate the difference in the output distributions of G0(A) and G1(A) to theadvantage of Ba. Figure 11 shows the adversary. It behaves exactly like G0 and G1 except that itutilizes its ORSignLR oracle to respond to some signing queries. By the definition of ranon-indadvantage we have that

Advranon-indRS (Ba) = Pr

[Expranon-ind-1

RS (Ba)⇒1]− Pr

[Expranon-ind-0

RS (Ba)⇒1]. (21)

Note that if Ba is run in the ranon-ind-1 experiment, then the secret key sks is always utilizedto answer Ba’s oracle queries. Thus Ba returns a one whenever G1(A) would not output ⊥,and so we have that Pr

[Expranon-ind-1

RS (Ba)⇒ 1]

= Pr [G1(A) ; ⊥]. Similarly, if Ba is run inthe ranon-ind-0 experiment, then the secret key P[pk] is always used to answer Ba’s queries. SoPr

[Expranon-ind-0

RS (Ba)⇒ 1]

= Pr [G0(A) ; ⊥]. Substituting back into (21) and re-arranging wehave that

Pr [G0(A) ; ⊥] = Pr [G1(A) ; ⊥]−Advranon-indRS (Ba) . (22)

The final game is G2, which just simplifies the ORSign-3 oracle from game G1. The changedoes not change the functionality of the oracle, and thus Pr [G1(A) ; ⊥] = Pr [G2(A) ; ⊥]. Nowit is apparent that G2 simulates for A exactly the experiment Expruf2

RS (A) and so we have thatPr [G2(A) ; ⊥] = Advruf2

RS (A). Combining all of the above, we have that

Advruf3RS,Kosk(Bu) = Pr [G0(A) ; ⊥]



= Advruf2RS (A)−Advranon-ind

RS (Ba) .

The running time of Bu and Ba are (each) the running time of A plus the overhead needed torespond to A’s oracle queries, leading to the time bounds given in the theorem statement.

5.4 Ring Signatures with POPs

For all the reasons already described, we’d like to avoid the KOSK assumption wherever possi-ble. Thus, we give a proof-of-possession based registration protocol for the 2-user scheme basedon Waters signatures from Bender et al. [10]. Let G1,G2,GT , p, g, e be pairing parameters withG1 = G2 = G. Let WRS = (W-RKg,W-RSign,W-RVf) be the ring signature scheme defined asbelow.

W-RKg

sk$← Zp; g1 ← gsk

u, u1, . . . , un$← Gn+1

pk ← (g1, u, ~u)Return (pk, sk)

W-RSign(sk, {pk, pk′},M)

(g1, u, ~u)← pk(g′1, u

′, ~u′)← pk′

r$← Zp; ρ← gr

Y ← Hu,~u(M) ·Hu′,~u′(M)σ ← (g′1)

sk · Y r

Return (σ, ρ)

W-RVf({pk, pk′},M, (σ, ρ))

(g1, u, ~u)← pk(g′1, u

′, ~u′)← pk′

Y ← Hu,~u(M) ·Hu′,~u′(M)If e(g1, g′1) · e(Y, ρ) = e(σ, g) then

Return 1Return 0

When we write (g1, u, ~u) ← pk (resp. (g′1, u′, ~u′) ← pk′), we mean that pk (resp. pk′) is parsed

into its constituent parts. In [10] the scheme is proven secure against ruf1 adversaries and we canapply Theorem 5.1 to show security against ruf2 adversaries. Additionally it is easy to see that

27

the scheme is perfectly ranon-ind. However, as shown in [37] the scheme is not secure againstrogue-key attacks (in the plain setting). We now show a simple proof-of-possession based regis-tration protocol under which provable security against rogue-key attacks can be achieved. Chooseglobal parameters (h0, h1, w, w1, . . . , wn)

$← (G1)n+3 (this will require trusted setup, since theCA should not know the discrete logs of these values). Then we specify the registration pro-tocol WR-Pop = (WR-PopP,WR-PopV). Algorithm WR-PopP takes as input (pk, sk) and sendspk || (π0, $0, π1, $1) which is computed by generating the two signatures W-SignHw,~w(hsk0 , 〈pk〉n)and W-SignHw,~w(hsk1 , 〈pk〉n). Algorithm WR-PopV, upon receiving the message, verifies the signa-tures in the natural way: get g1 from pk and check that both e(g1, h0)·e(Hw,~w(〈pk〉n), $0) = e(π0, g)and e(g1, h1)·e(Hw,~w(〈pk〉n), $1) = e(π1, g). If both signatures verify, the algorithm replies with pkand otherwise ⊥. The following theorem captures the security of WRS with respect to the WR-Popregistration protocol.

Theorem 5.4 Fix η ≥ 2. Let A be an ruf3-kr adversary with respect to the WR-Pop protocol thatmakes at most qs signature queries, qc corruption queries, qk key registration queries, and runs intime at most t. Then there exists an adversary B such that

Advruf3-krWRS,WR-Pop(A) ≤ η2Advuf

W(B)

where B makes at most qs signing queries and runs in time at most t+O(qc+(n+qs+1)Time(WRS).

Proof: In fact we consider an ruf3-kr-fr adversary A (with respect to the WR-Pop protocol), and willlater apply Lemma 5.2 to prove the theorem. We use A to build a uf adversary B against the Waterssignature scheme; the adversary B is shown in Figure 12. Adversary B is given input a parameterstring and Waters’ public key and has access to a Waters’ signing oracle OSign. First it parsesthe parameter string and Waters’ public key pk∗, notated by the code (g1, u, u1, . . . , un)← pk∗. Itgenerates two WRS public keys. The first, pk∗0, is composed of g1 and a set of randomly chosengroup elements a,~a. The second, pk∗1, is composed of the Waters’ parameter h and a set of groupelements b,~b chosen to be the Waters’ elements u, ~u component-wise divided by the values a,~a.Lastly it generates the public parameters for the WR-Pop protocol, programming the values h0 andh1 to include the group elements g1 and h, respectively. The values w, ~w are chosen so that theenvironment knows their discrete logs (base g). The adversary handles A’s queries as follows. Forkey registration, the POP is simply recorded in a table P, which is initially undefined everywhere.Without loss of generality we assume A only sends valid POPs. For signing queries, A will eitherquery on the set of public keys V including both pk∗0 and pk∗1 or at least one of the two (recall thatbecause A is legitimate, it will never query on two keys it chose, and all adversarially-chosen keysqueried to ORSign will have been previously registered). If the former, then B uses its signingoracle to generate a response. Otherwise, it utilizes the POP of the adversarially-chosen public keyto assist it in computing a response. The code (pk∗s , pk) ← V means: (1) parse V as two publickeys pk′ and pk and (2) let s ∈ {0, 1} be such that pk′ = pk∗s . Finally when A finishes, B outputsA’s forgery in the case that it verifies and otherwise outputs ⊥.

We now show that if A outputs a successful forgery, then B does also. The forgery is of theform ({pk∗0, pk∗1},M, (σ, ρ)) and if W-RVf verifies then we know that e(g1, h)·e(Y, ρ) = e(σ, g) whereY = Ha,~a(M) ·H

b,~b(M). But we have that for any M ∈ {0, 1}n that

Ha,~a(M) ·Hb,~b

(M) = a · b ·n∏i=1

(aibi)M [i] = a · ua·n∏i=1

(ai ·

uiai

)M [i]

= u ·n∏i=1

(ui)M [i] = Hu,~u(M) . (23)

Thus σ, ρ are such that W-VfHu,~u(pk∗,M, (σ, ρ)) = 1.

28

Adversary B(par, g1)(h, u, u1, . . . , un)← par

a, a1, . . . , an$← Gn+1

pk∗0 ← (g1, a, a1, . . . , an)b← u/a; For j = 1 to n do bj ← uj/ajpk∗1 ← (h, b, b1, . . . , bn)β0, β1, x, x1, . . . , xn

$← Zn+3p

h0 ← g1gβ0 ;h1 ← hgβ1

w, ~w ← gx, gx1 , . . . , gxn

Run A(h0, h1, w, ~w, (pk∗0, pk∗1)), answering

queries by

query ORSign(s,V,M)If V = {pk∗0, pk∗1} then Ret OSign(M)(pk∗s , pk)← V; (g, z, z1, . . . , zn)← pk(π0, $0), (π1, $1)← P[pk]

r$← Zp; P ← $

x+Σnj=1xjpk[j]

s

If s = 0 then Y ← Hz,~z(M) ·Ha,~a(M)Else Y ← Hz,~z(M) ·H

b,~b(M)

σ ← πs · Y r · g−βs · P−1

Ret (σ, gr)

query OKReg(pk, (π0, $0, π1, $1))P[pk]← (π0, $0, π1, $1); Ret pk

A finishes, outputing (P,M, (σ, ρ))φ← ⊥If RVf({pk∗0, pk∗1},M, (σ, ρ)) = 1 thenφ← (M, (σ, ρ))

Ret φ


u, ~u$← Gn+1; α, δ $← Zp; h← gδ; g1 ← gα

a, a1, . . . , an$← Gn+1


$← Zn+3p

h0 ← g1gβ0 ;h1 ← hgβ1

w, ~w ← gx, gx1 , . . . , gxn

Ret (h0, h1, w, ~w, (pk∗0, pk∗1))

procedure ORSign(s,V,M)If V = {pk∗0, pk∗1} then

Ret W-SignHu,~u(hα,M)(pk∗s , pk)← V; (g, z, z1, . . . , zn)← pk(π0, $0), (π1, $1)← P[pk]

r$← Zp; P ← $

x+Σnj=1xjpk[j]

s


b,~b(M)

σ ← πs · Y r · g−βs · P−1

Ret (σ, gr)

procedure OKReg(pk, (π0, $0, π1, $1))P[pk]← (π0, $0, π1, $1); Ret pk

procedure Finalize(P,M, (σ, ρ))φ← ⊥If RVf({pk∗0, pk∗1},M, (σ, ρ)) = 1 thenφ← (M, (σ, ρ))

Ret φ

Figure 12: Adversary B and game G0 used in the proof of Theorem 5.4.

We proceed through a sequence of games to lower bound B’s advantage. The first game isG0, shown in Figure 12. It is exactly like adversary B except that it produces the Waters’ schemeparameters and keys itself. Instead of querying an OSign oracle it runs W-Sign directly. Theoutput of B and G0 are the same, and since B forges against W (as argued above) any time ⊥ isnot output we have

AdvufW(B) = Pr [G0(A) ; ⊥] . (24)

The next game is G1, shown in Figure 13. Instead of computing W-SignHu,~u(hα,M) it computesW-RSign(α,V,M). Here α corresponds to the secret key of pk∗0. In fact this change is without lossbecause they compute the same values. The former generates σ = hα · Hu,~u(M)r and ρ = gr for

r$← Zp. The latter generates σ′ = hα ·

(Ha,~a(M) ·H

b,~b(M)

)rand ρ′ = gr for r $← Zp. Applying (23)

to σ′ we have that σ′ = hα ·Hu,~u(M)r = σ and so the computations are equivalent. We have just

29


u, ~u$← Gn+1; α, δ $← Zp; h← gδ; g1 ← gα

a, a1, . . . , an$← Gn+1


$← Zn+3p

h0 ← g1gβ0 ;h1 ← hgβ1

w, ~w ← gx, gx1 , . . . , gxn

Ret (h0, h1, w, ~w, (pk∗0, pk∗1))


Ret W-RSign(α,V,M)(pk∗s , pk)← V; (g, z, z1, . . . , zn)← pk(π0, $0), (π1, $1)← P[pk]

r$← Zp; P ← $

x+Σnj=1xjpk[j]

s


b,~b(M)

σ ← πs · Y r · g−βs · P−1

Ret (σ, gr)



Ret φ


u, ~u$← Gn+1; α, δ $← Zp; h← gδ; g1 ← gα

a, a1, . . . , an$← Gn+1


$← Zn+3p

h0 ← g1gβ0 ;h1 ← hgβ1

w, ~w ← gx, gx1 , . . . , gxn

Ret (h0, h1, w, ~w, (pk∗0, pk∗1))


Ret W-RSign(α,V,M)If s = 0 then Ret W-RSign(α,V,M)Ret W-RSign(δ,V,M)



Ret φ

Figure 13: Games G1 and G2 used in proof of Theorem 5.4.

argued that

Pr [G0(A) ; ⊥] = Pr [G1(A) ; ⊥] . (25)

Game G2 simplifies handling of signing queries further. Queries on V = {pk∗0, pk∗1} are handledas in game G1. There are two other cases. First if V = {pk∗0, pk}, the response is computed viaW-RSign(α,V,M). Second if V = {pk∗1, pk}, the response is computed via W-RSign(δ,V,M). (Notethat δ is the discrete log of h base g, and plays the role of sk∗1.) We focus on the first case, wheres = 0, showing that G1 and G2 implement the same signing functionality when queried by A onV = {pk∗0, pk} and a message M for some adversarially-chosen public key pk = (g, z, ~z). (The othercase is argued similarly.) In G1 such a query is answered by

σ = π0 · Y r · g−β0 ·($x+

Pnj=1 xjpk[j]

0

)−1

(26)

and a value gr where r$← Zp. Since A is legitimate, the POP tuple (π0, $0) verifies under

30

WR-PopV, meaning that

e(π0, g) = e(g, h0) · e(Hw,~w(pk), $0)

= e(g, g1gβ0) · e(Hw,~w(pk), $0)

= e(g, g1) · e(g, gβ0) · e(Hw,~w(pk), $0) (27)

and since g1 = gα the properties of e give that e(g, g1) = e(gα, g). Substituting this into (27) andrearranging gives

e(gα, g) =e(π0, g)

e(g, gβ0) · e(Hw,~w(pk), $0)

=e(π0, g)

e(g, gβ0) · e(gx+Pn

i=1 xipk[i], $0)

=e(π0, g)

e(gβ0 , g) · e($x+

Pni=1 xipk[i]

0 , g)

=e(π0, g)

e(gβ0 ·$x+

Pni=1 xipk[i]

0 , g)

= e(π0 · g−β0 ·

($x+

Pni=1 xipk[i]

0

)−1, g

). (28)

Above we have utilized the properties of e to derive the chain of equalities. Equation (28) givesthat

gα = π0 · g−β0 ·($x+

Pni=1 xipk[i]

0

)−1. (29)

and substituting (29) into (26) we see that σ = gα · Y r. Investigating the definition of W-RSign,we see that the output of W-RSign(α,V,M) is (gα · Y r, gr) when V = {pk∗0, pk} and where r $← Zp.Thus the handling of this query in G1 results in the same response as the code handling this queryin G2. The other case can be argued similarly, giving that

Pr [G1(A) ; ⊥] = Pr [G2(A) ; ⊥] . (30)

In game G3, we further simplify the ORSign procedure, always returning exactly the ring signaturerequested by A. Since WRS is perfectly ranon-ind anonymous there is no distinction between thehandling of signing queries in G2 and in G3. Thus,

Pr [G2(A) ; ⊥] = Pr [G3(A) ; ⊥] . (31)

In the final game G4 we re-write the Initialize procedure, computing values as shown in Figure 14.The distributions of the variables returned by the procedure remain unchanged, giving that

Pr [G3(A) ; ⊥] = Pr [G4(A) ; ⊥] . (32)

Now however we note that G4 exactly implements the ruf3-kr-fr experiment with respect to theWR-Pop protocol. Thus we have that Pr [G4(A) ; ⊥] = Advruf3-kr-fr

WRS,WR-Pop(A) and combining all theabove game transitions we have that Advruf3-kr-fr

WRS,WR-Pop(A) ≤ AdvufW(B).

The adversary B runs in time at most the running time of A plus the overhead of the simu-lation. This includes O(n ·Time(WRS)) operations, which is the time to initialize the public keys;O(qsTime(WRS)) operations, for simulating signing queries; O(qc) operations, for handling regis-tration queries; and a single Time(WRS) for the verification procedure. Thus the total runningtime is at most t+O(qc + (n+ qs + 1)Time(WRS)).

31


u, ~u$← Gn+1; α, δ $← Zp; h← gδ; g1 ← gα

a, a1, . . . , an$← Gn+1


$← Zn+3p

h0 ← g1gβ0 ;h1 ← hgβ1

w, ~w ← gx, gx1 , . . . , gxn

Ret (h0, h1, w, ~w, (pk∗0, pk∗1))

procedure ORSign(s,V,M)If s = 0 then Ret W-RSign(α,V,M)Ret W-RSign(δ,V,M)



Ret φ


α, δ$← Zp; h← gδ; g1 ← gα

a, a1, . . . , an$← Gn+1

pk∗0 ← (g1, a, a1, . . . , an)b, b1, . . . , bn

$← Gn+1

pk∗1 ← (h, b, b1, . . . , bn)h0, h1, w, w1, . . . , wn

$← Gn+3

Ret (h0, h1, w, ~w, (pk∗0, pk∗1))

procedure ORSign(s,V,M)If s = 0 then Ret W-RSign(α,V,M)Ret W-RSign(δ,V,M)



Ret φ

Figure 14: Games G3 and G4 used in proof of Theorem 5.4.

We can now apply Lemma 5.2, which adds a factor ν2 but does not require additional time overthat already used by adversary B.

Acknowledgements

The authors thank Mihir Bellare for suggesting that they investigate the security of multisignatureschemes when the proof of knowledge is replaced by a proof of possession akin to ones currentlyused in PKIs, and for many useful discussions. The authors thank the anonymous reviewers fortheir helpful comments.

References

[1] C. Adams, S. Farrell, T. Kause, T. Mononen. Internet X.509 public key infrastructure certifi-cate management protocols (CMP). Request for Comments (RFC) 4210, Internet EngineeringTask Force (September 2005)

[2] N. Asokan, V. Niemi, P. Laitinen. On the usefulness of proof-of-possession. In Proceedings ofthe 2nd Annual PKI Research Workshop. (2003) 122–127

[3] M. Bellare. CSE 208: Advanced Cryptography. UCSD course (Spring 2006).[4] M. Bellare, O. Goldreich. On Defining Proofs of Knowledge. In Advances in Cryptology –

CRYPTO ’92. Volume 740 of Lecture Notes in Computer Science, pp. 390–420, E. Brickell ed.,Springer-Verlag, 1993

32

[5] M. Bellare, T. Kohno, V. Shoup. Stateful public-key cryptosystems: how to encrypt withone 160-bit exponentiation. In Proceedings of the 13th ACM Conference on Computer andCommunications Security (CCS), pp. 380–389, ACM, 2006

[6] M. Bellare, C. Namprempre, G. Neven. Unrestricted aggregate signatures. Cryptology ePrintArchive, Report 2006/285 (2006) http://eprint.iacr.org/.

[7] M. Bellare, G. Neven. Multi-signatures in the plain public-key model and a generalized fork-ing lemma. In Proceedings of the 13th ACM Conference on Computer and CommunicationsSecurity (CCS), pp. 390–399, ACM, 2006

[8] M. Bellare, P. Rogaway. Random oracles are practical: a paradigm for designing efficientprotocols. In Proceedings of the 1st ACM Conference on Computer and CommunicationsSecurity (CCS), pp. 62–73, ACM, 1993

[9] M. Bellare, P. Rogaway. The security of triple encryption and a framework for code-basedgame-playing proofs. In Advances in Cryptology – EUROCRYPT ’06. Volume 4004 of LectureNotes in Computer Science, pp. 409–426, S. Vaudenay ed., Springer-Verlag, 2006

[10] A. Bender, J. Katz, R. Morselli. Ring signatures: Stronger definitions, and constructionswithout random oracles. In Third Theory of Cryptography Conference – TCC ’06. Volume3876 of Lecture Notes in Computer Science, pp. 60–79, Springer-Verlag, 2006

[11] A. Boldyreva. Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In Proceedings of the 6th International Workshop onTheory and Practice in Public Key Cryptography – PKC ’03. Volume 2567 of Lecture Notes inComputer Science, pp. 31–46, Springer-Verlag, 2003

[12] A. Boldyreva, M. Fischlin, A. Palacio, B. Warinschi. A closer look at PKI: security andefficiency. In Proceedings of the 10th International Conference on Practice and Theory inPublic Key Cryptography – PKC ’07, Volume 4450 of Lecture Notes in Computer Science, T.Okamoto, X. Wang eds., Springer-Verlag, 2007

[13] D. Boneh, C. Gentry, B. Lynn, H. Shacham. Aggregate and verifiably encrypted signaturesfrom bilinear maps. In Advances in Cryptology – EUROCRYPT ’03. Volume 2656 of LectureNotes in Computer Science, pp. 416–432, E. Biham ed., Springer-Verlag, 2003

[14] D. Boneh, B. Lynn, H. Shacham. Short signatures from the weil pairing. In Advances inCryptology – ASIACRYPT ’01. Volume 2248 Lecture Notes in Computer Science, pp. 514–532, C. Boyd ed., Springer-Verlag, 2001

[15] J.S. Coron. On the exact security of full domain hash. In Advances in Cryptology – CRYPTO’00. Volume 1880 of Lecture Notes in Computer Science, pp. 229–235, M. Bellare ed., Springer-Verlag, 2000

[16] A. De Santis, G. Persiano. Zero-knowledge proofs of knowledge without interaction (extendedabstract). In 33rd Annual Symposium on Foundations of Computer Science – FOCS ’92, pp.427–436, IEEE, 1992

[17] M. Fischlin. Communication-efficient non-interactive proofs of knowledge with online extrac-tors. In Advances in Cryptology – CRYPTO ’05. Volume 3621 of Lecture Notes in ComputerScience, pp. 152–168, V. Shoup ed., Springer-Verlag, 2005

[18] S. Goldwasser, S. Micali, R. Rivest. A Paradoxical Solution to the Signature Problem. In 25thAnnual Symposium on Foundations of Computer Science – FOCS ’84, pp. 441–449, IEEE,1984

[19] J. Groth, R. Ostrovsky, A. Sahai. Perfect non-interactive zero knowledge for NP. In Advancesin Cryptology – EUROCRYPT ’06. Volume 4004 of Lecture Notes in Computer Science, pp.339–358, C. Dwork ed., Springer-Verlag, 2006

[20] L. Harn. Group-oriented (t,n) threshold digital signature scheme and digital multisignature.Computers and Digital Techniques, IEEE Proceedings 141(5) (1994) 307–313

33

[21] J. Herranz. Some digital signature schemes with collective signers. Ph.D. Thesis, UniversitatPolitecnica De Catalunya, Barcelona. April, 2005.

[22] P. Horster, M. Michels, H. Petersen. Meta signature schemes based on the discrete loga-rithm problem. In IFIP TC11 Eleventh International Conference on Information Security(IFIP/SEC 1995) (1995) 128–141

[23] M. Jakobsson, K. Sako, R. Impagliazzo. Designated verifier proofs and their applications.In Advances in Cryptology – EUROCRYPT ’96. Volume 1070 of Lecture Notes in ComputerScience, pp. 143–154, U. Maurer ed., Springer-Verlag, 1996

[24] F. Laguillaumie, D. Vergnaud. Designated verifier signatures: anonymity and efficient con-struction from any bilinear map. In Security in Communication Networks, 4th InternationalConference, SCN 2004. Volume 3352 of Lecture Notes in Computer Science, pp. 105–119,Springer, 2005

[25] S.K. Langford. Weakness in some threshold cryptosystems. In Advances in Cryptology –CRYPTO ’96. Volume 1109 of Lecture Notes in Computer Science, pp. 74–82, N. Koblitz ed.,Springer-Verlag, 1996

[26] C.M. Li, T. Hwang, N.Y. Lee. Threshold-multisignature schemes where suspected forgeryimplies traceability of adversarial shareholders. In Advances in Cryptology – EUROCRYPT’94. Volume 950 of Lecture Notes in Computer Science, pp. 194–204, A. DeSantis ed., Springer-Verlag, 1995

[27] H. Lipmaa, G. Wang, F. Bao. Designated verifier signature schemes: attacks, new securitynotions and a new construction. In 32nd International Colloquium on Automata, Languagesand Programming – ICALP 2005. Volume 3580 Lecture Notes in Computer Science, pp. 459–471, Springer-Verlag, 2005

[28] S. Lu, R. Ostrovsky, A. Sahai, H. Shacham, B. Waters. Sequential aggregate signatures andmultisignatures without random oracles. In Advances in Cryptology – EUROCRYPT ’06.Volume 4004 of Lecture Notes in Computer Science, pp. 465–485, S. Vaudenay ed., Springer-Verlag, 2006

[29] A. Lysyanskaya, S. Micali, L. Reyzin, H. Shacham. Sequential Aggregate Signatures fromTrapdoor Permutations. In Advances in Cryptology – EUROCRYPT ’04. Volume 3027 ofLecture Notes in Computer Science, pp. 74–90, C. Cachin, J. Camenisch eds., Springer-Verlag,2004

[30] M. Michels, P. Horster. On the risk of disruption in several multiparty signature schemes.In Advances in Cryptology – ASIACRYPT ’96. Volume 1163 of Lecture Notes in ComputerScience, pp. 334–345, K. Kim, T. Matsumoto eds., Springer-Verlag, 1996

[31] S. Micali, K. Ohta, L. Reyzin. Accountable-subgroup multisignatures. In Proceedings of the8th ACM Conference on Computer and Communications Security – CCS ’01, pp. 245–254,ACM, 2001

[32] K. Ohta, T. Okamoto. A digital multisignature scheme based on the Fiat-Shamir scheme.In Advances in Cryptology – ASIACRYPT ’91. Volume 739 of Lecture Notes in ComputerScience, pp. 139–148, H. Imai, R. Rivest, T. Matsumoto eds., Springer-Verlag, 1993

[33] K. Ohta, T. Okamoto. Multi-signature schemes secure against active insider attacks. IEICETransactions on Fundamentals of Electronics Communications and Computer Sciences E82-A(1) (1999) 21–31

[34] R.L. Rivest, A. Shamir, Y. Tauman. How to leak a secret. In Advances in Cryptology –ASIACRYPT ’01. Volume 2248 of Lecture Notes in Computer Science, pp. 552–565, C. Boyded., Springer-Verlag, 2001

[35] RSA Laboratories: RSA PKCS #10 v1.7: Certification Request Syntax Standard ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-10/pkcs-10v1 7.pdf.

34

[36] J. Schaad. Internet X.509 public key infrastructure certificate request message format (CRMF).Request for Comments (RFC) 4211, Internet Engineering Task Force (September 2005)

[37] H. Shacham, B. Waters. Efficient ring signatures without random oracles. In Proceedingsof the 10th International Conference on Practice and Theory in Public Key Cryptography –PKC ’07, Volume 4450 of Lecture Notes in Computer Science, T. Okamoto, X. Wang eds.,Springer-Verlag, 2007

[38] R. Steinfeld, L. Bull, H. Wang, J. Pieprzyk. Universal designated-verifier signatures. In Ad-vances in Cryptology – ASIACRYPT ’03. Volume 2894 of Lecture Notes in Computer Science,pp. 523–542, C.S. Laih ed., Springer-Verlag, 2003

[39] B. Waters. Efficient identity-based encryption without random oracles. In Advances in Cryp-tology – EUROCRYPT ’05. Volume 3494 of Lecture Notes in Computer Science, pp. 114–127,R. Cramer ed., Springer-Verlag, 2005

A Ring Signature Anonymity Definitions

We recall the strongest definition from [10], anonymity with respect to full key exposure. LetRS = (RPg,RKg,RSign,RVf) be a ring signature scheme and A be an adversary. The experimentExpranon-fke-b

RS (A) is defined in Figure 15. Note that we only allow adversaries which make onequery to ORSignLR. We define the ranon-fke advantage of A by

Advranon-fkeRS (A) = Pr

[Expranon-fke-0

RS (A)⇒ 1]− Pr

[Expranon-fke-1

RS (A)⇒ 1]

We compare this definition to the ranon-ind anonymity definition given in Section 5. Recall that,intuitively, the ranon-ind definition requires that no adversary can determine which secret key wasused to sign, even if the adversary itself chooses all the keys. First we show a separation, that thereexist schemes which are secure in the ranon-fke sense but not in the ranon-ind sense.

Theorem A.1 Let RS = (RPg,RKg,RSign,RVf) be a ring signature scheme and let A, B, and Cbe ranon-ind, ranon-fke, and ruf3-kr adversaries, respectively. Then there exists a ring signaturescheme RS′ such that

Advranon-indRS′ (A) = 1

Advranon-fkeRS′ (B) = Advranon-fke

RS (B)

Advruf3-krRS′ (C) = Advruf3-kr

RS (C)

Proof: Let RS = (RPg,RKg,RSign,RVf) be a ring signature scheme. Define a new ring signaturescheme RS′ = (RPg,RKg′,RSign′,RVf ′) as follows. Parameter generation is equivalent. Key genera-tion first runs (pk, sk) $← RKg and then returns (pk, sk || 0). Signature generation RSignsk || d(V,M)

works by first running σ$← RSignsk(V,M) and then outputing σ || d. Verification of (V,M, σ′)

works by first dropping the last bit of σ′ to get σ, and then returning RVf(V,M, σ).Now we show that there exists a ranon-ind adversary A that has advantage one against RS′.

The adversary runs (pk0, sk0), (pk1, sk1)$← RKg and then lets sk′0 = sk0 || 0 and sk′1 = sk0 || 1.

It then queries ORSignLR({sk0, sk1}, {pk0, pk1},M) for any message M . The adversary outputsthe last bit of the returned signature. Clearly its advantage is one.

It is easy to verify that any ranon-fke adversary B has equivalent advantage against either RSor RS′ and similarly for any ruf3-kr adversary C (relative to any key registration protocol).

35

Experiment Expranon-fkeRS (A)

b$← {0, 1}; par $← RPg


K = {ski | i ∈ [1 .. η]}Run A(par, (pki)

η1)) handling oracle queries as follows

ORSign(s,V,M), where s ∈ [1 .. η]; pks ∈ VRet RSignsks

(V,M)ORSignLR({i0, i1},V,M), where i0, i1 ∈ [1 .. η]; i0 6= i1; pki0 , pki1 ∈ V

Ret (K,RSignskib(V,M))

A outputs b′

Ret b′ = b

Figure 15: Ring signature full-key exposure anonymity experiment.

On the other hand, it is straightforward to see that security in the ranon-ind sense impliessecurity in the ranon-fke sense. Briefly, assume we have an adversary A against the anonymity ofa ring signature scheme in the full key exposure experiment. We can build an adversary B thatuses A to distinguish in the ranon-ind game. The adversary B picks η key pairs pki, ski and givethem to A. Then, it simulates, using these secret keys, adversary A’s signing and corruption oraclesin the natural way. Finally A outputs a pair of indices i0, i1, a message M , and a target groupV. In turn, B queries its left-or-right oracle on (ski0 , ski1 ,V,M) and forwards the response to A.When A outputs a bit, the adversary B returns it.

36

Documents

The Power of Proofs-of-Possession: Securing Multiparty ... · have the adversary use a public key that is a function of an honest user’s key, allowing him to produce forgeries easily